VYPR

CWE-1386

Insecure Operation on Windows Junction / Mount Point

BaseIncomplete

Description

The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (4)

  • CVE-2025-58074HigMay 4, 2026
    risk 0.57cvss 8.8epss 0.00

    A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges.

  • CVE-2024-7400HigSep 27, 2024
    risk 0.55cvss epss 0.00

    The vulnerability potentially allowed an attacker to misuse ESET’s file operations during the removal of a detected file on the Windows operating system to delete files without having proper permissions to do so.

  • CVE-2026-41116MedJun 9, 2026
    risk 0.41cvss 6.3epss 0.00

    Dell Inventory Collector Client, versions prior to 13.8.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write.

  • CVE-2023-5834Oct 27, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.