CWE-59— Improper Link Resolution Before File Access (Link Following)
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.— MITRE CWE catalog
1,471 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-59page 28 of 30
- CVE-2026-2490MEDIUMCVSS 5.5EG 5.52026-02-20
RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of RustDesk Client for Windows. An attacke…
- CVE-2026-25187HIGHCVSS 7.8EG 7.82026-03-10
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.
- CVE-2026-25718CRITICALCVSS 9.1EG 9.12026-07-03
Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.
- CVE-2026-26225HIGHCVSS 8.5EG 8.52026-02-12
Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability. Backup task definitions are stored in a location writable by non-…
- CVE-2026-2627HIGHCVSS 7.8EG 7.82026-02-17
A security flaw has been discovered in Softland FBackup up to 9.9. This impacts an unknown function in the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the component Backup/Restore. The manipulation results in link…
- CVE-2026-27105MEDIUMCVSS 6.3EG 6.32026-04-29
Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, l…
- CVE-2026-27456MEDIUMCVSS 4.7EG 4.72026-04-03
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop…
- CVE-2026-28262MEDIUMCVSS 6.0EG 6.02026-06-09
Dell iDRAC Tools, versions prior to 11.4.1.0, contains an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to In…
- CVE-2026-28684MEDIUMCVSS 6.6EG 6.62026-04-20
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local atta…
- CVE-2026-29786MEDIUMCVSS 6.3EG 6.32026-03-07
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables fil…
- CVE-2026-31990MEDIUMCVSS 6.1EG 6.12026-03-19
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attack…
- CVE-2026-32013HIGHCVSS 8.8EG 8.82026-03-19
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlis…
- CVE-2026-32020LOWCVSS 3.3EG 3.32026-03-19
OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass…
- CVE-2026-32024MEDIUMCVSS 5.5EG 5.52026-03-19
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avat…
- CVE-2026-32054MEDIUMCVSS 6.5EG 6.52026-03-21
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can crea…
- CVE-2026-32212MEDIUMCVSS 5.5EG 5.52026-04-14
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
- CVE-2026-32282MEDIUMCVSS 6.4EG 6.42026-04-08
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently igno…
- CVE-2026-33001HIGHCVSS 8.8EG 8.82026-03-18
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only…
- CVE-2026-33694HIGHCVSS 7.4EG 7.42026-04-23
This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the …
- CVE-2026-34078CRITICALCVSS 10.0EG 10.02026-04-07
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the …
- CVE-2026-34242HIGHCVSS 7.7EG 7.72026-04-15
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.
- CVE-2026-34603HIGHCVSS 7.1EG 7.12026-04-01
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symli…
- CVE-2026-34604HIGHCVSS 7.1EG 7.12026-04-01
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If …
- CVE-2026-34883MEDIUMCVSS 5.3EG 5.32026-05-19
An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installa…
- CVE-2026-35025HIGHCVSS 8.1EG 8.12026-06-24
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attacker…
- CVE-2026-35345MEDIUMCVSS 5.3EG 5.32026-04-22
A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been re…
- CVE-2026-35349MEDIUMCVSS 6.7EG 6.72026-04-22
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker…
- CVE-2026-35359MEDIUMCVSS 4.7EG 4.72026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequent…
- CVE-2026-35365MEDIUMCVSS 6.6EG 6.62026-04-22
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real …
- CVE-2026-35400LOWCVSS 3.5EG 3.52026-04-08
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module w…
- CVE-2026-39243MEDIUMCVSS 5.5EG 5.52026-07-09
decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed di…
- CVE-2026-39246HIGHCVSS 7.5EG 7.52026-07-09
decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.j…
- CVE-2026-39819MEDIUMCVSS 5.3EG 5.32026-05-07
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to ove…
- CVE-2026-40610MEDIUMCVSS 5.5EG 5.52026-05-22
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies …
- CVE-2026-40861MEDIUMCVSS 6.5EG 6.52026-06-01
A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containin…
- CVE-2026-40931HIGHCVSS 8.4EG 8.42026-04-21
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path…
- CVE-2026-40977MEDIUMCVSS 4.7EG 4.72026-04-28
When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 …
- CVE-2026-41091HIGHCVSS 7.8EG 9.0⚠ KEV2026-05-20
Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
- CVE-2026-41121HIGHCVSS 7.8EG 7.32026-07-01
Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution Before File Access ('Link Following’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerabilit…
- CVE-2026-41231HIGHCVSS 7.5EG 7.52026-04-23
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, …
- CVE-2026-41236HIGHCVSS 8.8EG 8.82026-05-29
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authori…
- CVE-2026-4135MEDIUMCVSS 6.6EG 6.62026-04-15
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to perform an arbitrary file write with elevated privileges.
- CVE-2026-41364HIGHCVSS 8.1EG 8.12026-04-28
OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sa…
- CVE-2026-41397MEDIUMCVSS 6.8EG 6.82026-04-28
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by …
- CVE-2026-41433HIGHCVSS 8.4EG 8.42026-04-24
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbi…
- CVE-2026-41610MEDIUMCVSS 6.3EG 6.32026-05-12
Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-41882HIGHCVSS 7.4EG 7.42026-04-30
In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
- CVE-2026-42496CRITICALCVSS 9.1EG 9.12026-05-26
Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths…
- CVE-2026-42497HIGHCVSS 7.5EG 7.52026-05-26
Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or ..…
- CVE-2026-42574HIGHCVSS 7.5EG 7.52026-05-09
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subse…
Map vulnerabilities like CWE-59 to your infrastructure
EchelonGraph correlates every CVE — across CWE-59 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →