golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the...

Open WebUI 授权问题漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.5.7 had an authorization issue vulnerability. This vulnerability stems from the ability for users to change access permissions during editing, potentially leading to...

CVE-2026-35352

CVE-2026-35352 affects the mkfifo utility in uutils coreutils. A TOCTOU race exists: the tool creates a FIFO and then performs a path-based chmod. A local attacker with write access to the parent directory can replace the newly created FIFO with a symbolic link between the two operations, causing...

OpenHarness 安全漏洞

OpenHarness is a lightweight development and runtime framework for Data Intelligence Lab@HKU. Previous versions of OpenHarness had security vulnerabilities, which stemmed from insufficient differentiation between local commands and remote secure commands processed by the gateway. This vulnerabili...

CVE-2026-33056 tar-rs: unpack_in can chmod arbitrary directories by following symlinks

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball...

EUVD-2004-2602

Malware in sbrugna...

CVE-2025-9810

TOCTOU in linenoiseHistorySave in linenoise allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen"w" on the history path and subsequent chmod on the same path...

PT-2025-35507

Name of the Vulnerable Software and Affected Versions: linenoise affected versions not specified Description: A time-of-check to time-of-use TOCTOU issue exists in the linenoiseHistorySave function within the linenoise library. This flaw allows local attackers to overwrite arbitrary files and...

nodejs: fs.fchown/fchmod bypasses permission model

A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on file descriptors. However, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner...

PT-2024-5138

Name of the Vulnerable Software and Affected Versions: Node.js affected versions not specified Description: A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on...

CVE-2023-4607

An authenticated XCC user can change permissions for any user through a crafted API command...

SUSE CVE-2023-4822

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor...

Trojan-Downloader.Win32.Small.ahlq Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2022 Original source: https://malvuln.com/advisory/d859ba54086fd0313dc34b73b5b1eccb.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan-Downloader.Win32.Small.ahlq Vulnerability: Insecure Permissions Description: the malware...

Trojan.Win32.Agent.xaamkd Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/095651e1704b501123b41ea2e9736820.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan.Win32.Agent.xaamkd Vulnerability: Insecure Permissions Description: The malware creates an di...

Backdoor.Win32.Neakse.bit Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/20863ba09c31037b1b3220fc6da100e1.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Neakse.bit Vulnerability: Insecure Permissions Description: The malware creates two...

Backdoor.Win32.Floder.gqe Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/0629e3b2ab8a973a3e37e4e97cb9cfea.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Floder.gqe Vulnerability: Insecure Permissions Description: The malware creates an...

Trojan-Dropper.Win32.Injector.aobl Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/842f6f21a2a83792e98900df90c9340b.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan-Dropper.Win32.Injector.aobl Vulnerability: Insecure Permissions Description: The malware...

Trojan.Win32.NanoBot.onh Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/9fff4c02274c0162880844f27ff91407.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan.Win32.NanoBot.onh Vulnerability: Insecure Permissions Description: NanoBot.onh creates an...

Trojan.Win32.Agent.hsm Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/c58d5aecd223ac95ae5fab6dcd69e953.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan.Win32.Agent.hsm Vulnerability: Insecure Permissions Description: Agent.hsm creates an insecur...

Trojan-Downloader.Win32.Genome.omht Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/01055838361f534ab596b56a19c70fef.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan-Downloader.Win32.Genome.omht Vulnerability: Insecure Permissions Description: Genome.omht...