CWE-59
Improper Link Resolution Before File Access ('Link Following')
BaseDraftLikelihood: Medium
Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-132 · CAPEC-17 · CAPEC-35 · CAPEC-76
CVEs mapped to this weakness (534)
page 2 of 27| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-9968 | Hig | 0.55 | — | 0.00 | Oct 13, 2025 | A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation. For more information, please refer to section 'Security Update for Armoury Crate App' in the ASUS Security Advisory. | |
| CVE-2025-43490 | Hig | 0.55 | — | 0.00 | Aug 15, 2025 | A potential security vulnerability has been identified in the HPAudioAnalytics service included in the HP Hotkey Support software, which might allow escalation of privilege. HP is releasing software updates to mitigate the potential vulnerability. | |
| CVE-2025-23267 | Hig | 0.55 | 8.5 | 0.00 | Jul 17, 2025 | NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of service. | |
| CVE-2025-52936 | Cri | 0.53 | — | 0.00 | Jun 23, 2025 | Improper Link Resolution Before File Access ('Link Following') vulnerability in yrutschle sslh.This issue affects sslh: before 2.2.2. | |
| CVE-2025-20003 | Hig | 0.53 | 8.2 | 0.00 | May 13, 2025 | Improper link resolution before file access ('Link Following') for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2000-0342 | Hig | 0.52 | 7.5 | 0.02 | Apr 28, 2000 | Eudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." | |
| CVE-2026-27748 | Hig | 0.51 | 7.8 | 0.00 | Mar 5, 2026 | Avira Internet Security contains an improper link resolution vulnerability in the Software Updater component. During the update process, a privileged service running as SYSTEM deletes a file under C:\\ProgramData without validating whether the path resolves through a symbolic link or reparse point. A local attacker can create a malicious link to redirect the delete operation to an arbitrary file, resulting in deletion of attacker-chosen files with SYSTEM privileges. This may lead to local privilege escalation, denial of service, or system integrity compromise depending on the targeted file and operating system configuration. | |
| CVE-2026-2627 | Hig | 0.51 | 7.8 | 0.00 | Feb 17, 2026 | A security flaw has been discovered in Softland FBackup up to 9.9. This impacts an unknown function in the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the component Backup/Restore. The manipulation results in link following. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-12341 | Hig | 0.51 | 7.8 | 0.00 | Oct 28, 2025 | A vulnerability was detected in ermig1979 AntiDupl up to 2.3.12. Impacted is an unknown function of the file AntiDupl.NET.WinForms.exe of the component Delete Duplicate Image Handler. The manipulation results in link following. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-62363 | Hig | 0.51 | 7.8 | 0.00 | Oct 13, 2025 | yt-grabber-tui is a terminal user interface application for downloading videos. In versions before 1.0-rc, the application allows users to configure the path to the yt-dlp executable via the path_to_yt_dlp configuration setting. An attacker with write access to the configuration file or the filesystem location of the configured executable can replace the executable with malicious code or create a symlink to an arbitrary executable. When the application invokes yt-dlp, the malicious code is executed with the privileges of the user running yt-grabber-tui. This vulnerability has been patched in version 1.0-rc. | |
| CVE-2025-11462 | Hig | 0.51 | 7.8 | 0.00 | Oct 7, 2025 | Improper Link Resolution Before File Access in the AWS VPN Client for macOS versions 1.3.2- 5.2.0 allows a local user to execute code with elevated privileges. Insufficient validation checks on the log destination directory during log rotation could allow a non-administrator user to create a symlink from a client log file to a privileged location. On log rotation, this could lead to code execution with root privileges if the user made crafted API calls which injected arbitrary code into the log file. We recommend users upgrade to AWS VPN Client for macOS 5.2.1 or the latest version. | |
| CVE-2024-11857 | Hig | 0.51 | 7.8 | 0.00 | Jun 2, 2025 | Bluetooth HCI Adaptor from Realtek has a Link Following vulnerability. Local attackers with regular privileges can create a symbolic link with the same name as a specific file, causing the product to delete arbitrary files pointed to by the link. Subsequently, attackers can leverage arbitrary file deletion to privilege escalation. | |
| CVE-2024-9524 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in System Speedup Service in Avira Operations GmbH Avira Prime Version 1.1.96.2 on Windows 10 x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13962 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Gen Digital Inc. Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13961 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13960 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in TuneUp Service in AVG TuneUp Version 23.4 (build 15592) on Windows 10 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13959 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in TuneupSvc.exe in AVG TuneUp 24.2.16593.9844 on Windows allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging the service to delete a directory | |
| CVE-2024-13944 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in NortonUtilitiesSvc in Norton Utilities Ultimate Version 24.2.16862.6344 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via the creation of a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13759 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Local Privilege Escalation in Avira.Spotlight.Service.exe in Avira Prime 1.1.96.2 on Windows 10 x64 allows local attackers to gain system-level privileges via arbitrary file deletion | |
| CVE-2024-45316 | Hig | 0.51 | 7.8 | 0.00 | Oct 11, 2024 | The Improper link resolution before file access ('Link Following') vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges to delete arbitrary folders and files, potentially leading to local privilege escalation attack. |