Monthly
Local privilege escalation in the openSUSE Tumbleweed packaging of Suricata allows the unprivileged 'suricata' service account to gain root through a symbolic-link following flaw (CWE-61) in files or directories the package manages with predictable, service-writable paths. Any actor already holding the suricata user context - for example via a compromised or misconfigured IDS/IPS process - can plant a symlink that redirects a root-executed operation to a target of their choosing, yielding full system compromise. The CVSS 4.0 exploit-maturity metric is set to Proof-of-Concept (E:P); there is no evidence of active exploitation in CISA KEV, and no public exploit identified at time of analysis.
Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. root.Open("symlink/")), os.Root improperly dereferences that symlink to a location outside the root, defeating the traversal protection the API is designed to enforce. Affects Go before 1.25.12, 1.26.5, and 1.27.0-rc.2; no public exploit is identified at time of analysis and it is not in CISA KEV.
Symlink following in zcaceres markdownify-mcp up to version 1.1.0 allows a local low-privilege user to read files outside the intended directory boundary by exploiting insufficient path resolution in the `assertPathAllowed` function of `src/Markdownify.ts`. The function evaluates the user-supplied symbolic path rather than its canonicalized target, enabling an attacker to bypass the path restriction check and disclose arbitrary local files. No public exploit code exists at time of analysis, the vulnerability is not listed in CISA KEV, and a fix is pending as an unmerged pull request.
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.
Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. There is no public exploit identified at time of analysis, EPSS is very low (0.12%), and CISA SSVC marks exploitation as none.
Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Symlink following in pwnlift's Blazor upload handler permits arbitrary file write with elevated system privileges when the application is deployed in a privileged (root or high-privilege) context. All pwnlift releases before commit d7a95449d9ee1ea09ec1529286685f6187afbbed are affected through the upload component in Components/Pages/Home.razor. No public exploit has been identified at time of analysis; an upstream fix is available via the referenced GitHub commit.
Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV.
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kubectl logs` because the plugin restores `container.log` from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw was independently reported by numerous researchers and a vendor patch is available.
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.
Local privilege escalation in the openSUSE Tumbleweed packaging of Suricata allows the unprivileged 'suricata' service account to gain root through a symbolic-link following flaw (CWE-61) in files or directories the package manages with predictable, service-writable paths. Any actor already holding the suricata user context - for example via a compromised or misconfigured IDS/IPS process - can plant a symlink that redirects a root-executed operation to a target of their choosing, yielding full system compromise. The CVSS 4.0 exploit-maturity metric is set to Proof-of-Concept (E:P); there is no evidence of active exploitation in CISA KEV, and no public exploit identified at time of analysis.
Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. root.Open("symlink/")), os.Root improperly dereferences that symlink to a location outside the root, defeating the traversal protection the API is designed to enforce. Affects Go before 1.25.12, 1.26.5, and 1.27.0-rc.2; no public exploit is identified at time of analysis and it is not in CISA KEV.
Symlink following in zcaceres markdownify-mcp up to version 1.1.0 allows a local low-privilege user to read files outside the intended directory boundary by exploiting insufficient path resolution in the `assertPathAllowed` function of `src/Markdownify.ts`. The function evaluates the user-supplied symbolic path rather than its canonicalized target, enabling an attacker to bypass the path restriction check and disclose arbitrary local files. No public exploit code exists at time of analysis, the vulnerability is not listed in CISA KEV, and a fix is pending as an unmerged pull request.
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.
Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. There is no public exploit identified at time of analysis, EPSS is very low (0.12%), and CISA SSVC marks exploitation as none.
Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Symlink following in pwnlift's Blazor upload handler permits arbitrary file write with elevated system privileges when the application is deployed in a privileged (root or high-privilege) context. All pwnlift releases before commit d7a95449d9ee1ea09ec1529286685f6187afbbed are affected through the upload component in Components/Pages/Home.razor. No public exploit has been identified at time of analysis; an upstream fix is available via the referenced GitHub commit.
Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV.
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kubectl logs` because the plugin restores `container.log` from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw was independently reported by numerous researchers and a vendor patch is available.
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.