Common Weakness Enumeration

CWE-61

Allowed

UNIX Symbolic Link (Symlink) Following

Abstraction: Compound · Status: Incomplete

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

270 vulnerabilities reference this CWE, most recent first.

GHSA-6QFG-8799-R575

Vulnerability from github – Published: 2021-05-18 15:30 – Updated: 2023-09-18 20:30
VLAI
Summary
Kubernetes kubectl cp Vulnerable to Symlink Attack
Details

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.10"
            },
            {
              "fixed": "1.13.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.6"
            },
            {
              "fixed": "1.14.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.3"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T21:58:06Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.",
  "id": "GHSA-6qfg-8799-r575",
  "modified": "2023-09-18T20:30:39Z",
  "published": "2021-05-18T15:30:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/87773"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/82143"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kubernetes kubectl cp Vulnerable to Symlink Attack"
}

GHSA-6V73-JJ37-XGGM

Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30
VLAI
Details

Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.

These vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account. Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-15T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.\n\nThese vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account.\nNote: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices.\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.",
  "id": "GHSA-6v73-jj37-xggm",
  "modified": "2024-11-15T18:30:50Z",
  "published": "2024-11-15T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20093"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-file-write-rHKwegKf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WXM-MPQJ-6JPF

Vulnerability from github – Published: 2025-01-28 17:29 – Updated: 2025-02-18 22:36
VLAI
Summary
Insecure Temporary File usage in github.com/golang/glog
Details

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/golang/glog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-28T17:29:03Z",
    "nvd_published_at": "2025-01-28T02:15:28Z",
    "severity": "MODERATE"
  },
  "details": "When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process\u0027s log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.",
  "id": "GHSA-6wxm-mpqj-6jpf",
  "modified": "2025-02-18T22:36:58Z",
  "published": "2025-01-28T17:29:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45339"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/glog/pull/74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/golang/glog"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insecure Temporary File usage in github.com/golang/glog"
}

GHSA-6XC8-63F8-5G3W

Vulnerability from github – Published: 2025-10-13 15:31 – Updated: 2025-10-13 15:31
VLAI
Details

SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-13T15:16:04Z",
    "severity": "MODERATE"
  },
  "details": "SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.",
  "id": "GHSA-6xc8-63f8-5g3w",
  "modified": "2025-10-13T15:31:18Z",
  "published": "2025-10-13T15:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43991"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000378367/dsa-2025-362-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72FC-7PFF-VV9C

Vulnerability from github – Published: 2024-12-18 03:31 – Updated: 2024-12-18 03:31
VLAI
Details

Dell Inventory Collector Client, versions prior to 12.7.0, contains an Improper Link Resolution Before File Access vulnerability. A low-privilege attacker with local access may exploit this vulnerability, potentially resulting in Elevation of Privileges and unauthorized file system access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T03:15:26Z",
    "severity": "HIGH"
  },
  "details": "Dell Inventory Collector Client, versions prior to 12.7.0, contains an Improper Link Resolution Before File Access vulnerability. A low-privilege attacker with local access may exploit this vulnerability, potentially resulting in Elevation of Privileges and unauthorized file system access.",
  "id": "GHSA-72fc-7pff-vv9c",
  "modified": "2024-12-18T03:31:47Z",
  "published": "2024-12-18T03:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47480"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000255700/dsa-2024-475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-74M3-9QVM-RP9H

Vulnerability from github – Published: 2026-04-25 23:34 – Updated: 2026-05-12 13:29
VLAI
Summary
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
Details

Summary The zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process.

  • Attack Vector: Network — exploitation is performed entirely over the WebDAV endpoint; the attacker issues HTTP requests to the public zrok share URL.
  • Attack Complexity: High — a precondition outside the attacker's direct control must hold: a symlink pointing outside DriveRoot must already exist within it (created locally, not via WebDAV).
  • Privileges Required: None — zrok share public --backend-mode drive exposes the WebDAV endpoint with no authentication by default.
  • User Interaction: None — once the symlink precondition is met, exploitation requires no user interaction.
  • Scope: Changed — the vulnerability allows an attacker to escape the WebDAV root (the security boundary) and access the broader host filesystem.
  • Confidentiality Impact: High — arbitrary files readable by the zrok process can be retrieved.
  • Integrity Impact: High — the WebDAV PUT handler opens files with O_RDWR|O_CREATE|O_TRUNC, meaning symlink targets outside DriveRoot can be overwritten (e.g. ~/.ssh/authorized_keys).
  • Availability Impact: None — no direct availability impact.

Affected Components

  • drives/davServer/file.go — Dir.OpenFile (line 140), Dir.Stat (line 176), Dir.Mkdir (line 133), Dir.RemoveAll (line 151)
  • endpoints/drive/backend.go — NewBackend (line 51–52)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openziti/zrok"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openziti/zrok/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:34:35Z",
    "nvd_published_at": "2026-05-08T04:16:22Z",
    "severity": "HIGH"
  },
  "details": "**Summary**\nThe zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and\u2014on shares without OS-level permission restrictions\u2014write or overwrite files anywhere on the host filesystem accessible to the zrok process.\n\n- Attack Vector: Network \u2014 exploitation is performed entirely over the WebDAV endpoint; the attacker issues HTTP requests to the public zrok share URL.\n- Attack Complexity: High \u2014 a precondition outside the attacker\u0027s direct control must hold: a symlink pointing outside DriveRoot must already exist within it (created locally, not via WebDAV).\n- Privileges Required: None \u2014 zrok share public --backend-mode drive exposes the WebDAV endpoint with no authentication by default.\n- User Interaction: None \u2014 once the symlink precondition is met, exploitation requires no user interaction.\n- Scope: Changed \u2014 the vulnerability allows an attacker to escape the WebDAV root (the security boundary) and access the broader host filesystem.\n- Confidentiality Impact: High \u2014 arbitrary files readable by the zrok process can be retrieved.\n- Integrity Impact: High \u2014 the WebDAV PUT handler opens files with O_RDWR|O_CREATE|O_TRUNC, meaning symlink targets outside DriveRoot can be overwritten (e.g. ~/.ssh/authorized_keys).\n- Availability Impact: None \u2014 no direct availability impact.\n\nAffected Components\n\n- drives/davServer/file.go \u2014 Dir.OpenFile (line 140), Dir.Stat (line 176), Dir.Mkdir (line 133), Dir.RemoveAll (line 151)\n- endpoints/drive/backend.go \u2014 NewBackend (line 51\u201352)",
  "id": "GHSA-74m3-9qvm-rp9h",
  "modified": "2026-05-12T13:29:09Z",
  "published": "2026-04-25T23:34:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openziti/zrok"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openziti/zrok/releases/tag/v2.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write"
}

GHSA-7H2Q-899J-9636

Vulnerability from github – Published: 2026-05-14 15:31 – Updated: 2026-05-14 15:31
VLAI
Details

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T14:16:25Z",
    "severity": "HIGH"
  },
  "details": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account.  It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries.  Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.",
  "id": "GHSA-7h2q-899j-9636",
  "modified": "2026-05-14T15:31:58Z",
  "published": "2026-05-14T15:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6475"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2026-6475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JM9-XPWX-V999

Vulnerability from github – Published: 2024-11-05 21:30 – Updated: 2024-11-05 21:30
VLAI
Details

NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T19:15:05Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.",
  "id": "GHSA-7jm9-xpwx-v999",
  "modified": "2024-11-05T21:30:43Z",
  "published": "2024-11-05T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0134"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5585"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7MHF-6FHV-C83C

Vulnerability from github – Published: 2025-12-26 00:30 – Updated: 2025-12-26 03:30
VLAI
Details

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-26T00:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.",
  "id": "GHSA-7mhf-6fhv-c83c",
  "modified": "2025-12-26T03:30:14Z",
  "published": "2025-12-26T00:30:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68937"
    },
    {
      "type": "WEB",
      "url": "https://blog.gitea.com/release-of-1.24.7"
    },
    {
      "type": "WEB",
      "url": "https://codeberg.org/forgejo/forgejo/milestone/27340"
    },
    {
      "type": "WEB",
      "url": "https://codeberg.org/forgejo/forgejo/milestone/29156"
    },
    {
      "type": "WEB",
      "url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md"
    },
    {
      "type": "WEB",
      "url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md"
    },
    {
      "type": "WEB",
      "url": "https://codeberg.org/forgejo/security-announcements/issues/43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7PCG-JHJM-W87W

Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-26 21:31
VLAI
Details

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T01:17:06Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data.",
  "id": "GHSA-7pcg-jhjm-w87w",
  "modified": "2026-03-26T21:31:22Z",
  "published": "2026-03-25T03:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20694"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126349"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126350"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126794"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126795"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.