Monthly
Symlink-based race condition in Docker Engine's `docker cp` implementation allows a malicious container with at least one volume mount to redirect a bind mount to an arbitrary host filesystem path, enabling host file overwrite or temporary denial of service. The flaw affects Moby/Docker through 28.5.2 and is fixed only in the Moby v2 line (2.0.0-beta.14); no public exploit identified at time of analysis. Exploitation requires an operator-initiated `docker cp` or archive API call against the malicious container, which constrains real-world abuse to environments where untrusted containers receive file copies.
Race condition in Docker's `docker cp` mount setup allows a process running inside a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem as root. Affected packages include github.com/docker/docker <= 28.5.2 and github.com/moby/moby <= 28.5.2, with a patch only confirmed for the moby/moby v2 branch at 2.0.0-beta.14. The CVSS vector reflects a scope-changed (S:C), high-availability-impact flaw requiring low privileges and high complexity; no public exploit or CISA KEV listing has been identified at time of analysis, but the attack is realistic when operators use `docker cp` against containers running untrusted workloads with volume mounts.
Symlink following in cramfs-tools 2.2 and earlier allows local privileged attackers to manipulate file ownership or timestamps on arbitrary filesystem locations during cramfs extraction. The vulnerability exists in the change_file_status function in cramfsck.c, which performs metadata operations (chown, chmod, utime) without validating that extracted paths are not symbolic links pointing outside the extraction directory. A publicly available exploit exists (GitHub issue #13), and the vendor has released patch commit b4a3a695c. EPSS data not available; not listed in CISA KEV. CVSS 4.2 reflects the local high-privilege requirement, though real-world risk depends heavily on whether cramfs extraction occurs in privileged contexts.
Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. CVSS 8.6 (High) with network attack vector but requires high privileges (PR:H). No active exploitation confirmed at time of analysis, but attack chain is straightforward with publicly documented technique.
Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.
Arbitrary file read as root via symlink following vulnerability in Tunnelblick versions 3.3beta26 through 9.0beta01 allows any local user to exploit tunnelblick-helper through the world-accessible tunnelblickd Unix socket to read arbitrary root-owned files. The vulnerability exists because tunnelblick-helper constructs paths to configuration files within user-controlled directories and reads them as root without validating symlinks, enabling attackers to redirect reads to sensitive files. Vendor-released patch available in version 9.0beta02. SSVC framework identifies this as exploitable with publicly available proof-of-concept code but not automatically exploitable.
IObit Advanced SystemCare 19 contains a symlink following vulnerability in the ASC.exe Service component that allows local authenticated attackers to achieve high-impact confidentiality and integrity violations. The vulnerability requires local access and elevated privileges (PR:L) but has high attack complexity (AC:H), making real-world exploitation difficult despite public exploit availability. CVSS 6.4 reflects the local-only attack vector and privilege requirement, though the confidentiality and integrity impacts are rated high.
Symlink-based race condition in Docker Engine's `docker cp` implementation allows a malicious container with at least one volume mount to redirect a bind mount to an arbitrary host filesystem path, enabling host file overwrite or temporary denial of service. The flaw affects Moby/Docker through 28.5.2 and is fixed only in the Moby v2 line (2.0.0-beta.14); no public exploit identified at time of analysis. Exploitation requires an operator-initiated `docker cp` or archive API call against the malicious container, which constrains real-world abuse to environments where untrusted containers receive file copies.
Race condition in Docker's `docker cp` mount setup allows a process running inside a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem as root. Affected packages include github.com/docker/docker <= 28.5.2 and github.com/moby/moby <= 28.5.2, with a patch only confirmed for the moby/moby v2 branch at 2.0.0-beta.14. The CVSS vector reflects a scope-changed (S:C), high-availability-impact flaw requiring low privileges and high complexity; no public exploit or CISA KEV listing has been identified at time of analysis, but the attack is realistic when operators use `docker cp` against containers running untrusted workloads with volume mounts.
Symlink following in cramfs-tools 2.2 and earlier allows local privileged attackers to manipulate file ownership or timestamps on arbitrary filesystem locations during cramfs extraction. The vulnerability exists in the change_file_status function in cramfsck.c, which performs metadata operations (chown, chmod, utime) without validating that extracted paths are not symbolic links pointing outside the extraction directory. A publicly available exploit exists (GitHub issue #13), and the vendor has released patch commit b4a3a695c. EPSS data not available; not listed in CISA KEV. CVSS 4.2 reflects the local high-privilege requirement, though real-world risk depends heavily on whether cramfs extraction occurs in privileged contexts.
Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. CVSS 8.6 (High) with network attack vector but requires high privileges (PR:H). No active exploitation confirmed at time of analysis, but attack chain is straightforward with publicly documented technique.
Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.
Arbitrary file read as root via symlink following vulnerability in Tunnelblick versions 3.3beta26 through 9.0beta01 allows any local user to exploit tunnelblick-helper through the world-accessible tunnelblickd Unix socket to read arbitrary root-owned files. The vulnerability exists because tunnelblick-helper constructs paths to configuration files within user-controlled directories and reads them as root without validating symlinks, enabling attackers to redirect reads to sensitive files. Vendor-released patch available in version 9.0beta02. SSVC framework identifies this as exploitable with publicly available proof-of-concept code but not automatically exploitable.
IObit Advanced SystemCare 19 contains a symlink following vulnerability in the ASC.exe Service component that allows local authenticated attackers to achieve high-impact confidentiality and integrity violations. The vulnerability requires local access and elevated privileges (PR:L) but has high attack complexity (AC:H), making real-world exploitation difficult despite public exploit availability. CVSS 6.4 reflects the local-only attack vector and privilege requirement, though the confidentiality and integrity impacts are rated high.