Total
1446 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62363 | 2026-04-15 | N/A | 7.8 HIGH | ||
| yt-grabber-tui is a terminal user interface application for downloading videos. In versions before 1.0-rc, the application allows users to configure the path to the yt-dlp executable via the path_to_yt_dlp configuration setting. An attacker with write access to the configuration file or the filesystem location of the configured executable can replace the executable with malicious code or create a symlink to an arbitrary executable. When the application invokes yt-dlp, the malicious code is executed with the privileges of the user running yt-grabber-tui. This vulnerability has been patched in version 1.0-rc. | |||||
| CVE-2024-51721 | 2026-04-15 | N/A | 7.3 HIGH | ||
| A code injection vulnerability in the SecuSUITE Server Web Administration Portal of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially inject script commands or other executable content into the server that would run with root privilege. | |||||
| CVE-2025-9968 | 2026-04-15 | N/A | N/A | ||
| A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation. For more information, please refer to section 'Security Update for Armoury Crate App' in the ASUS Security Advisory. | |||||
| CVE-2025-53594 | 2026-04-15 | N/A | N/A | ||
| A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Qfinder Pro Mac 7.13.0 and later Qsync for Mac 5.1.5 and later QVPN Device Client for Mac 2.2.8 and later | |||||
| CVE-2024-13961 | 2026-04-15 | N/A | 7.8 HIGH | ||
| Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |||||
| CVE-2025-41421 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| Improper handling of symbolic links in the TeamViewer Full Client and Host for Windows — in versions prior to 15.70 of TeamViewer Remote and Tensor — allows an attacker with local, unprivileged access to a device lacking adequate malware protection to escalate privileges by spoofing the update file path. This may result in unauthorized access to sensitive information. | |||||
| CVE-2025-20003 | 2026-04-15 | N/A | 8.2 HIGH | ||
| Improper link resolution before file access ('Link Following') for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-13154 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges. | |||||
| CVE-2024-56074 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| gitingest before 9996a06 mishandles symbolic links that point outside of the base directory. | |||||
| CVE-2025-60710 | 1 Microsoft | 3 Windows 11 24h2, Windows 11 25h2, Windows Server 2025 | 2026-04-14 | N/A | 7.8 HIGH |
| Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2022-46869 | 2 Acronis, Microsoft | 2 Cyber Protect Home Office, Windows | 2026-04-10 | N/A | 7.8 HIGH |
| Local privilege escalation during installation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40278, Acronis True Image OEM (Windows) before build 42575. | |||||
| CVE-2026-34603 | 1 Ssw | 1 Tinacms\/cli | 2026-04-07 | N/A | 7.1 HIGH |
| Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2. | |||||
| CVE-2026-34604 | 1 Ssw | 1 Tinacms\/graphql | 2026-04-07 | N/A | 7.1 HIGH |
| Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2. | |||||
| CVE-2025-43257 | 1 Apple | 1 Macos | 2026-04-03 | N/A | 8.7 HIGH |
| This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox. | |||||
| CVE-2025-43448 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2026-04-02 | N/A | 6.3 MEDIUM |
| This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to break out of its sandbox. | |||||
| CVE-2025-43446 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to modify protected parts of the file system. | |||||
| CVE-2025-43395 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 3.3 LOW |
| This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access protected user data. | |||||
| CVE-2025-43394 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access protected user data. | |||||
| CVE-2025-43379 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to access protected user data. | |||||
| CVE-2025-43288 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26. An app may be able to bypass Privacy preferences. | |||||