VYPR

CWE-61

UNIX Symbolic Link (Symlink) Following

CompoundIncompleteLikelihood: High

Description

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-27

CVEs mapped to this weakness (97)

page 1 of 5
  • CVE-2026-54420HigKEVJun 14, 2026
    risk 0.67cvss 8.5epss 0.01

    LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

  • CVE-2024-28189CriApr 18, 2024
    risk 0.66cvss 10.0epss 0.07

    Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on…

  • CVE-2024-28185CriApr 18, 2024
    risk 0.66cvss 10.0epss 0.07

    Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a…

  • CVE-2026-39861CriApr 21, 2026
    risk 0.65cvss 10.0epss 0.01

    Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed…

  • CVE-2025-23394CriMay 26, 2025
    risk 0.64cvss 9.8epss 0.00

    A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

  • CVE-2024-54661CriDec 4, 2024
    risk 0.64cvss 9.8epss 0.01

    readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file.

  • CVE-2025-68937CriDec 26, 2025
    risk 0.62cvss epss 0.00

    Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

  • CVE-2026-34078CriApr 7, 2026
    risk 0.58cvss 10.0epss 0.02

    Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This…

  • CVE-2026-29203HigMay 8, 2026
    risk 0.57cvss 8.8epss 0.00

    A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled…

  • CVE-2025-55345HigAug 13, 2025
    risk 0.57cvss 8.8epss 0.01

    Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory.

  • CVE-2025-46810HigSep 2, 2025
    risk 0.55cvss epss 0.00

    A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.29.

  • CVE-2025-10854HigSep 22, 2025
    risk 0.53cvss 8.1epss 0.00

    The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to…

  • CVE-2024-47515HigDec 24, 2024
    risk 0.53cvss 8.1epss 0.01

    A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.

  • CVE-2026-52811criJun 23, 2026
    risk 0.52cvss epss 0.00

    Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`…

  • CVE-2026-55447criJun 19, 2026
    risk 0.52cvss epss 0.00

    ### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5.…

  • CVE-2026-39860CriApr 8, 2026
    risk 0.52cvss 9.0epss 0.00

    Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following…

  • CVE-2025-66431HigDec 3, 2025
    risk 0.51cvss 7.8epss 0.00

    WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management."

  • CVE-2017-14798HigMar 1, 2018
    risk 0.51cvss 7.3epss 0.01

    A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root.

  • CVE-2026-6475HigMay 14, 2026
    risk 0.50cvss 8.8epss 0.00

    Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands…

  • CVE-2026-42275HigMay 8, 2026
    risk 0.50cvss 8.7epss 0.00

    zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared…