Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2021-47949 CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack — CyberPanel 8.8 High2026-05-10
CVE-2026-41882 JetBrains IntelliJ IDEA 后置链接漏洞 — IntelliJ IDEA 7.4 High2026-04-30
CVE-2026-27105 Dell Alienware Purchased Apps 后置链接漏洞 — Dell/Alienware Purchased Apps 6.3 Medium2026-04-29
CVE-2026-5161 Improper Authentication in TUBITAK BILGEM's Pardus About — Pardus About 8.8 High2026-04-29
CVE-2026-41397 OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal — OpenClaw 6.8 Medium2026-04-28
CVE-2026-40977 VMware Spring Boot 后置链接漏洞 — Spring Boot 4.7 Medium2026-04-27
CVE-2026-41364 OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload — OpenClaw 8.1 High2026-04-27
CVE-2026-6941 radare2 < 6.1.4 Project Notes Path Traversal via Symlink — radare2 6.6 Medium2026-04-23
CVE-2026-33694 Junction File Manipulation — Tenable Nessus, Tenable Nessus Agent 8.4AIHighAI2026-04-23
CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron — froxlor 7.5 High2026-04-23
CVE-2026-35365 uutils coreutils mv Denial of Service and Data Duplication via Improper Symlink Expansion — coreutils 6.6 Medium2026-04-22
CVE-2026-35349 uutils coreutils Path-Based Safety Bypass with --preserve-root — coreutils 6.7 Medium2026-04-22
CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing — compressing 8.4 High2026-04-21
CVE-2026-28684 python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback — python-dotenv 6.6 Medium2026-04-20
CVE-2026-20161 Cisco ThousandEyes Enterprise Agent Arbitrary File Overwrite Vulnerability — Cisco ThousandEyes Enterprise Agent 5.5 Medium2026-04-15
CVE-2026-4135 Lenovo Software Fix 安全漏洞 — Software Fix 6.6 Medium2026-04-15
CVE-2026-0827 Lenovo Diagnostics 安全漏洞 — Diagnostics 7.1 High2026-04-15
CVE-2026-32212 Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability — Windows 10 Version 1607 5.5 Medium2026-04-14
CVE-2026-35400 LORIS incorrectly trusts user input in publication module — Loris 3.5 Low2026-04-08
CVE-2026-27456 util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup — util-linux 4.7 Medium2026-04-03
CVE-2026-34452 Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape — anthropic-sdk-python 8.4 -2026-03-31
CVE-2026-32054 OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling — OpenClaw 6.5 Medium2026-03-21
CVE-2026-32024 OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling — OpenClaw 5.5 Medium2026-03-19
CVE-2026-32020 OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler — OpenClaw 3.3 Low2026-03-19
CVE-2026-32013 OpenClaw < 2026.2.25 - Symlink Traversal in agents.files Methods — OpenClaw 8.8 High2026-03-19
CVE-2026-31990 OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination — OpenClaw 6.1 Medium2026-03-19
CVE-2026-22180 OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations — OpenClaw 5.3 Medium2026-03-18
CVE-2026-2808 Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider — Consul 6.8 Medium2026-03-11
CVE-2026-31979 himmelblaud-tasks: local privilege escalation via /tmp symlink attack on Kerberos ccache — himmelblau 8.8 High2026-03-11
CVE-2026-31894 WeGIA affected by arbitrary file read via symlink in backup restore — WeGIA 7.5AIHighAI2026-03-11

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.