Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Local access required to plant the symlink (AV:L); timing/positioning dependency justifies AC:H; unprivileged users can create symlinks in writable directories so PR:N stands; C/I/A all high due to privileged arbitrary file write.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor.
AnalysisAI
Symlink following in pwnlift's Blazor upload handler permits arbitrary file write with elevated system privileges when the application is deployed in a privileged (root or high-privilege) context. All pwnlift releases before commit d7a95449d9ee1ea09ec1529286685f6187afbbed are affected through the upload component in Components/Pages/Home.razor. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific, concurrent conditions: (1) pwnlift must be running in a privileged deployment - explicitly called out in the CVE description - meaning the process runs as root, SYSTEM, or another high-privilege account; without this, the attack yields no privilege escalation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects a high-impact but locally-constrained, high-complexity flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with write access to the directory housing pwnlift's Uploads folder replaces that directory with a symlink pointing to a sensitive location such as /etc/cron.d or /root/.ssh/authorized_keys. When a legitimate operator subsequently uploads a file through the pwnlift web UI, the application - running as root - resolves the path through the symlink and writes the attacker-controlled file content to the target location, achieving arbitrary privileged file write. … |
| Remediation | The primary remediation is to update pwnlift to or beyond commit d7a95449d9ee1ea09ec1529286685f6187afbbed, available at https://github.com/rasta-mouse/pwnlift/commit/d7a95449d9ee1ea09ec1529286685f6187afbbed; note that this is a source-level fix commit, not a tagged release, so operators must build from this commit or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all pwnlift deployments and determine which run with elevated privileges (root or administrative accounts). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38454
GHSA-9x6c-xp5w-ch33