ReportizFlow
Filtered by vendor
Subscriptions
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2009-1526 | 1 Jbmc-software | 1 Directadmin | 2025-12-12 | N/A |
| JBMC Software DirectAdmin before 1.334 allows local users to create or overwrite any file via a symlink attack on an arbitrary file in a certain temporary directory, related to a request for this temporary file in the PATH_INFO to the CMD_DB script during a backup action. | ||||
| CVE-2025-11489 | 1 Wonderwhy-er | 1 Desktopcommandermcp | 2025-12-12 | 4.5 Medium |
| A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The vendor explains: "Our restriction features are designed as guardrails for LLMs to help them stay closer to what users want, rather than hardened security boundaries. (...) For users where security is a top priority, we continue to recommend using Desktop Commander with Docker, which provides actual isolation. (...) We'll keep this issue open for future consideration if we receive more user demand for improved restrictions." This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-7073 | 1 Bitdefender | 3 Antivirus Plus, Internet Security, Total Security | 2025-12-12 | N/A |
| A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user. | ||||
| CVE-2025-8959 | 1 Hashicorp | 1 Go-getter | 2025-12-11 | 7.5 High |
| HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. | ||||
| CVE-2025-59241 | 1 Microsoft | 6 Windows, Windows 11, Windows 11 24h2 and 3 more | 2025-12-11 | 7.8 High |
| Improper link resolution before file access ('link following') in Windows Health and Optimized Experiences Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59281 | 1 Microsoft | 2 Windows, Xbox Gaming Services | 2025-12-11 | 7.8 High |
| Improper link resolution before file access ('link following') in XBox Gaming Services allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-55247 | 3 Linux, Microsoft, Redhat | 3 Linux Kernel, .net, Enterprise Linux | 2025-12-11 | 7.3 High |
| Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-5718 | 2 Axis, Axis Communications Ab | 234 A1210 \(-b\), A1214, A1601 and 231 more | 2025-12-11 | 6.8 Medium |
| The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | ||||
| CVE-2025-67487 | 2 Static-web-server, Static-web-server Project | 2 Static Web Server, Static-web-server | 2025-12-11 | 8.6 High |
| Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1. | ||||
| CVE-2025-60710 | 1 Microsoft | 6 Windows, Windows 11, Windows 11 24h2 and 3 more | 2025-12-11 | 7.8 High |
| Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2024-50404 | 1 Qnap | 1 Qsync Central | 2025-12-11 | 8.8 High |
| A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later | ||||
| CVE-2025-46636 | 1 Dell | 1 Encryption | 2025-12-10 | 6.6 Medium |
| Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | ||||
| CVE-2025-46637 | 1 Dell | 1 Encryption | 2025-12-10 | 7.3 High |
| Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A local malicious user could potentially exploit this vulnerability, leading to Elevation of privileges. | ||||
| CVE-2024-38081 | 1 Microsoft | 17 .net, .net Framework, Visual Studio and 14 more | 2025-12-10 | 7.3 High |
| .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | ||||
| CVE-2024-35261 | 1 Microsoft | 2 Azure Network Watcher Agent, Azure Network Watcher Agent For Windows | 2025-12-10 | 7.8 High |
| Azure Network Watcher VM Extension Elevation of Privilege Vulnerability | ||||
| CVE-2024-38022 | 1 Microsoft | 20 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 17 more | 2025-12-10 | 7 High |
| Windows Image Acquisition Elevation of Privilege Vulnerability | ||||
| CVE-2024-38013 | 1 Microsoft | 20 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 17 more | 2025-12-10 | 6.7 Medium |
| Microsoft Windows Server Backup Elevation of Privilege Vulnerability | ||||
| CVE-2025-59510 | 1 Microsoft | 25 Remote, Windows, Windows 10 and 22 more | 2025-12-10 | 5.5 Medium |
| Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally. | ||||
| CVE-2024-48862 | 1 Qnap | 1 Qulog Center | 2025-12-08 | 9.8 Critical |
| A link following vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed the vulnerability in the following versions: QuLog Center 1.7.0.831 ( 2024/10/15 ) and later QuLog Center 1.8.0.888 ( 2024/10/15 ) and later | ||||
| CVE-2025-11578 | 1 Github | 1 Enterprise Server | 2025-12-08 | 7.2 High |
| A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program. | ||||