Skip to main content

CWE-377

Insecure Temporary File

64 CVEs Avg CVSS 6.3 MITRE
1
CRITICAL
29
HIGH
25
MEDIUM
8
LOW
12
POC
0
KEV

Monthly

CVE-2026-53759 PyPI LOW PATCH GHSA Monitor

Arbitrary file write as root via symlink attack in Linuxfabrik Monitoring Plugins affects any deployment using the provided sudoers configuration. The monitoring plugins create SQLite databases at predictable, static paths under /tmp; an attacker who has already gained access to the nagios service account can pre-place symlinks at those paths, and when a monitoring script is subsequently invoked via sudo, it follows the symlink and writes a SQLite database to any attacker-chosen path on the filesystem. A proof-of-concept is included in the GitHub Security Advisory GHSA-r35r-fpx2-jgr4, and no CISA KEV listing or CVSS score has been assigned at time of analysis.

Denial Of Service Docker
NVD GitHub
CVE-2026-41991 LOW PATCH Monitor

Arbitrary file overwrite in GNU gzip's gzexe utility allows a local attacker to corrupt victim-accessible files via a symlink attack exploiting predictable temporary filename construction. When mktemp is absent from the user's PATH, gzexe falls back to PID-based temp file naming without exclusive creation or existence checks, enabling a TOCTOU race where a pre-planted symlink redirects the write to an attacker-chosen target. No public exploit or CISA KEV listing exists at time of analysis; impact is limited to low-integrity file overwrite with a CVSS 4.0 score of 2.0.

Information Disclosure Gzip
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-41001 MEDIUM PATCH This Month

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-49135 HIGH PATCH This Week

Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenticated users on the same macOS host to read App Store Connect API keys and hijack release builds via predictable temporary file paths in the notarization workflow. The flaw stems from writing sensitive credentials and notarization archives to fixed, world-reachable locations rather than per-run private directories, enabling symlink races and pre-creation attacks. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Codexbar
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-49134 HIGH PATCH This Week

Local privilege escalation in CodexBar prior to 0.32.0 allows a same-user attacker to execute arbitrary commands as root by winning a TOCTOU race against the CLI installer's temporary file. The installer writes a privileged shell payload via mktemp and invokes it through bash under an administrator prompt, leaving a window in which the file body can be swapped before approval. No public exploit identified at time of analysis, but VulnCheck published an advisory and the upstream patch is merged.

Privilege Escalation Codexbar
NVD GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2025-67223 HIGH This Week

Unauthenticated remote attackers can access sensitive documents containing personally identifiable information (PII) in Aranda Service Desk versions prior to 8.3.12 by exploiting predictable log file names in the Aranda File Server (AFS) component. Attackers retrieve daily activity logs from a publicly accessible directory to obtain direct virtual paths of uploaded files, then bypass access controls to download the documents. CISA SSVC framework confirms proof-of-concept code exists and the vulnerability is fully automatable, significantly lowering the barrier to exploitation despite no confirmed active exploitation at time of analysis.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40979 Maven MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 expose ONNX machine learning models to unauthorized disclosure when the application runs in shared hosting environments, allowing local users with limited system access to read sensitive model files and potentially reverse-engineer proprietary ML logic. The vulnerability stems from insecure temporary file handling (CWE-377) that fails to restrict file permissions on extracted model artifacts. Authentication requirements are minimal-only local system access is needed-making this a significant risk in multi-tenant cloud platforms and shared servers.

Information Disclosure Java
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40973 Maven HIGH PATCH GHSA This Week

Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-35342 Cargo LOW PATCH GHSA Monitor

mktemp utility in uutils coreutils mishandles empty TMPDIR environment variables by creating temporary files in the current working directory instead of falling back to /tmp, potentially exposing sensitive data if the CWD has overly permissive access controls. Affects uutils coreutils versions prior to 0.6.0 and requires local attacker with limited privileges to manipulate the environment or exploit overly accessible working directories; CVSS 3.3 reflects low severity (local access, limited confidentiality impact) despite information disclosure risk.

Information Disclosure Authentication Bypass Coreutils
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-20204 HIGH PATCH This Week

In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.

RCE Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
7.1
EPSS
0.1%
LOW PATCH Monitor

Arbitrary file write as root via symlink attack in Linuxfabrik Monitoring Plugins affects any deployment using the provided sudoers configuration. The monitoring plugins create SQLite databases at predictable, static paths under /tmp; an attacker who has already gained access to the nagios service account can pre-place symlinks at those paths, and when a monitoring script is subsequently invoked via sudo, it follows the symlink and writes a SQLite database to any attacker-chosen path on the filesystem. A proof-of-concept is included in the GitHub Security Advisory GHSA-r35r-fpx2-jgr4, and no CISA KEV listing or CVSS score has been assigned at time of analysis.

Denial Of Service Docker
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Arbitrary file overwrite in GNU gzip's gzexe utility allows a local attacker to corrupt victim-accessible files via a symlink attack exploiting predictable temporary filename construction. When mktemp is absent from the user's PATH, gzexe falls back to PID-based temp file naming without exclusive creation or existence checks, enabling a TOCTOU race where a pre-planted symlink redirects the write to an attacker-chosen target. No public exploit or CISA KEV listing exists at time of analysis; impact is limited to low-integrity file overwrite with a CVSS 4.0 score of 2.0.

Information Disclosure Gzip
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenticated users on the same macOS host to read App Store Connect API keys and hijack release builds via predictable temporary file paths in the notarization workflow. The flaw stems from writing sensitive credentials and notarization archives to fixed, world-reachable locations rather than per-run private directories, enabling symlink races and pre-creation attacks. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Codexbar
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in CodexBar prior to 0.32.0 allows a same-user attacker to execute arbitrary commands as root by winning a TOCTOU race against the CLI installer's temporary file. The installer writes a privileged shell payload via mktemp and invokes it through bash under an administrator prompt, leaving a window in which the file body can be swapped before approval. No public exploit identified at time of analysis, but VulnCheck published an advisory and the upstream patch is merged.

Privilege Escalation Codexbar
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated remote attackers can access sensitive documents containing personally identifiable information (PII) in Aranda Service Desk versions prior to 8.3.12 by exploiting predictable log file names in the Aranda File Server (AFS) component. Attackers retrieve daily activity logs from a publicly accessible directory to obtain direct virtual paths of uploaded files, then bypass access controls to download the documents. CISA SSVC framework confirms proof-of-concept code exists and the vulnerability is fully automatable, significantly lowering the barrier to exploitation despite no confirmed active exploitation at time of analysis.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 expose ONNX machine learning models to unauthorized disclosure when the application runs in shared hosting environments, allowing local users with limited system access to read sensitive model files and potentially reverse-engineer proprietary ML logic. The vulnerability stems from insecure temporary file handling (CWE-377) that fails to restrict file permissions on extracted model artifacts. Authentication requirements are minimal-only local system access is needed-making this a significant risk in multi-tenant cloud platforms and shared servers.

Information Disclosure Java
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

mktemp utility in uutils coreutils mishandles empty TMPDIR environment variables by creating temporary files in the current working directory instead of falling back to /tmp, potentially exposing sensitive data if the CWD has overly permissive access controls. Affects uutils coreutils versions prior to 0.6.0 and requires local attacker with limited privileges to manipulate the environment or exploit overly accessible working directories; CVSS 3.3 reflects low severity (local access, limited confidentiality impact) despite information disclosure risk.

Information Disclosure Authentication Bypass Coreutils
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.

RCE Splunk Enterprise Splunk Cloud Platform
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy