ReportizFlow
Filtered by vendor
Subscriptions
Total
1497 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | 7.7 High |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | ||||
| CVE-2025-66626 | 1 Argoproj | 2 Argo-workflows, Argo Workflows | 2025-12-19 | 8.1 High |
| Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5. | ||||
| CVE-2025-65843 | 3 Acustica-audio, Acusticaudio, Apple | 3 Aquarius, Aquarius Desktop, Macos | 2025-12-18 | 7.7 High |
| Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius recursively enumerates logs using a JUCE directory iterator configured to follow symlinks, and later writes file data without validating whether the target is a symbolic link. A local attacker can exploit this behavior by planting symlinks to arbitrary filesystem locations, resulting in unauthorized disclosure or modification of arbitrary files. When chained with the associated HelperTool privilege escalation issue, root-owned files may also be exposed. | ||||
| CVE-2023-4053 | 2 Mozilla, Redhat | 6 Firefox, Enterprise Linux, Rhel Aus and 3 more | 2025-12-18 | 6.5 Medium |
| A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2. | ||||
| CVE-2024-35254 | 1 Microsoft | 1 Azure Monitor Agent | 2025-12-18 | 7.1 High |
| Azure Monitor Agent Elevation of Privilege Vulnerability | ||||
| CVE-2024-35253 | 1 Microsoft | 1 Azure File Sync | 2025-12-18 | 4.4 Medium |
| Microsoft Azure File Sync Elevation of Privilege Vulnerability | ||||
| CVE-2024-30104 | 1 Microsoft | 5 365 Apps, Office, Office 2016 and 2 more | 2025-12-18 | 7.8 High |
| Microsoft Office Remote Code Execution Vulnerability | ||||
| CVE-2024-30093 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2025-12-18 | 7.3 High |
| Windows Storage Elevation of Privilege Vulnerability | ||||
| CVE-2024-30065 | 1 Microsoft | 20 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 17 more | 2025-12-18 | 5.5 Medium |
| Windows Themes Denial of Service Vulnerability | ||||
| CVE-2024-30076 | 1 Microsoft | 17 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 14 more | 2025-12-18 | 6.8 Medium |
| Windows Container Manager Service Elevation of Privilege Vulnerability | ||||
| CVE-2022-45440 | 1 Zyxel | 2 Ax7501-b0, Ax7501-b0 Firmware | 2025-12-17 | 4.4 Medium |
| A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device. | ||||
| CVE-2009-1526 | 1 Directadmin | 1 Directadmin | 2025-12-17 | N/A |
| JBMC Software DirectAdmin before 1.334 allows local users to create or overwrite any file via a symlink attack on an arbitrary file in a certain temporary directory, related to a request for this temporary file in the PATH_INFO to the CMD_DB script during a backup action. | ||||
| CVE-2025-0377 | 1 Hashicorp | 1 Go-slug | 2025-12-16 | 7.5 High |
| HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. | ||||
| CVE-2025-11489 | 1 Wonderwhy-er | 1 Desktopcommandermcp | 2025-12-12 | 4.5 Medium |
| A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The vendor explains: "Our restriction features are designed as guardrails for LLMs to help them stay closer to what users want, rather than hardened security boundaries. (...) For users where security is a top priority, we continue to recommend using Desktop Commander with Docker, which provides actual isolation. (...) We'll keep this issue open for future consideration if we receive more user demand for improved restrictions." This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-8959 | 1 Hashicorp | 1 Go-getter | 2025-12-11 | 7.5 High |
| HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. | ||||
| CVE-2025-67487 | 2 Static-web-server, Static-web-server Project | 2 Static Web Server, Static-web-server | 2025-12-11 | 8.6 High |
| Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1. | ||||
| CVE-2024-50404 | 1 Qnap | 1 Qsync Central | 2025-12-11 | 8.8 High |
| A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later | ||||
| CVE-2025-46636 | 1 Dell | 1 Encryption | 2025-12-10 | 6.6 Medium |
| Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | ||||
| CVE-2024-38081 | 1 Microsoft | 17 .net, .net Framework, Visual Studio and 14 more | 2025-12-10 | 7.3 High |
| .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | ||||
| CVE-2024-35261 | 1 Microsoft | 2 Azure Network Watcher Agent, Azure Network Watcher Agent For Windows | 2025-12-10 | 7.8 High |
| Azure Network Watcher VM Extension Elevation of Privilege Vulnerability | ||||