Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42367 | 1 Aiohttp | 1 Aiohttp | 2025-08-19 | N/A | 4.8 MEDIUM |
| aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue. | |||||
| CVE-2025-54867 | 2025-08-15 | N/A | 7.0 HIGH | ||
| Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5. | |||||
| CVE-2025-55345 | 2025-08-13 | N/A | 8.8 HIGH | ||
| Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory. | |||||
| CVE-2025-5468 | 2025-08-13 | N/A | 5.5 MEDIUM | ||
| Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk. | |||||
| CVE-2023-20092 | 1 Cisco | 1 Roomos | 2025-07-30 | N/A | 4.4 MEDIUM |
| Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. These vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account. Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. | |||||
| CVE-2023-20091 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2025-07-30 | N/A | 5.1 MEDIUM |
| A vulnerability in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit this vulnerability, an attacker would need to have a remote support user account. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2023-20093 | 1 Cisco | 1 Roomos | 2025-07-30 | N/A | 4.4 MEDIUM |
| Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. These vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account. Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. | |||||
| CVE-2025-1079 | 3 Apple, Google, Linux | 3 Macos, Web Designer, Linux Kernel | 2025-07-29 | N/A | 7.8 HIGH |
| Client RCE on macOS and Linux via improper symbolic link resolution in Google Web Designer's preview feature | |||||
| CVE-2024-22014 | 2 360totalsecurity, Microsoft | 2 360 Total Security, Windows | 2025-06-30 | N/A | 8.8 HIGH |
| An issue discovered in 360 Total Security Antivirus through 11.0.0.1061 for Windows allows attackers to gain escalated privileges via Symbolic Link Follow to Arbitrary File Delete. | |||||
| CVE-2025-36564 | 2025-06-04 | N/A | 7.8 HIGH | ||
| Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation. | |||||
| CVE-2025-23394 | 2025-05-28 | N/A | 9.8 CRITICAL | ||
| A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1. | |||||
| CVE-2025-43853 | 2025-05-16 | N/A | N/A | ||
| The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of the sandbox. If the symlink points to an existing host file, it's also possible to open it and read its content. Version 2.3.0 fixes the issue. | |||||
| CVE-2024-54148 | 1 Gogs | 1 Gogs | 2025-04-10 | N/A | 9.8 CRITICAL |
| Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | |||||
| CVE-2025-30485 | 2025-04-07 | N/A | 6.2 MEDIUM | ||
| UNIX symbolic link (Symlink) following issue exists in FutureNet NXR series, VXR series and WXR series routers. Attaching to the affected product an external storage containing malicious symbolic link files, a logged-in administrative user may obtain and/or destroy internal files. | |||||
| CVE-2025-29787 | 2025-03-17 | N/A | N/A | ||
| `zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used for later files in the archive without validation of the final canonicalized path, allowing maliciously crafted archives to overwrite arbitrary files in the file system when extracted. Users who extract untrusted archive files using the following high-level API method may be affected and critical files on the system may be overwritten with arbitrary file permissions, which can potentially lead to code execution. Version 2.3.0 fixes the issue. | |||||
| CVE-2024-27872 | 1 Apple | 1 Macos | 2025-03-14 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sonoma 14.6. An app may be able to access protected user data. | |||||
| CVE-2024-45418 | 1 Zoom | 4 Meeting Software Development Kit, Rooms, Video Software Development Kit and 1 more | 2025-03-04 | N/A | 5.4 MEDIUM |
| Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access. | |||||
| CVE-2025-24832 | 2025-02-27 | N/A | 5.5 MEDIUM | ||
| Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.4.866, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.7.615. | |||||
| CVE-2024-34015 | 2025-02-27 | N/A | 3.3 LOW | ||
| Sensitive information disclosure during file browsing due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.3.818, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892. | |||||
| CVE-2024-34014 | 2025-02-27 | N/A | 5.5 MEDIUM | ||
| Arbitrary file overwrite during recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.3.818, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.6.599, Acronis Backup plugin for DirectAdmin (Linux) before build 1.2.2.181. | |||||