CVE-2026-13201

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel...

CVE-2026-13201

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel...

PT-2026-52087

Name of the Vulnerable Software and Affected Versions KubeVirt affected versions not specified Description A flaw exists in the safepath package used by virt-handler. The OpenAtNoFollow function utilizes O PATH|O NOFOLLOW to obtain a file descriptor for a path leaf; however, subsequent operations...

EUVD-2026-31497

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...

RHEL 9 : rhc (RHSA-2026:19369)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19369 advisory. rhc is a client tool and daemon that connects the system to Red Hat hosted services enabling system and subscription management. Security...

CVE-2026-45539 Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...

CVE-2026-35372

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference or -n flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force overwrite mode was also enabled. Thi...

CVE-2026-35372 uutils coreutils ln Security Bypass via Improper Handling of the --no-dereference Flag

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference or -n flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force overwrite mode was also enabled. Thi...

CLSA-2025-1740645424 Fix CVE(s): CVE-2023-6597

SECURITY UPDATE: Ability to modify permissions with privileged programs - debian/patches/CVE-2023-6597.patch: Prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2023-6597...

CLSA-2025-1740645307 Fix CVE(s): CVE-2023-6597

SECURITY UPDATE: Ability to modify permissions with privileged programs - debian/patches/CVE-2023-6597.patch: Prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2023-6597...

Slackware Linux 15.0 / current python3 Multiple Vulnerabilities (SSA:2024-080-01)

The version of python3 installed on the remote host is prior to 3.9.19. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2024-080-01 advisory. - libexpat through 2.5.0 allows a denial of service resource consumption because many full reparsings are required in the...

Python Symlink Dereference Vulnerability (Mar 2024) - Mac OS X

Python is prone to a symlink dereference vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python";...

AZL-35926 CVE-2023-6597 affecting package python3 for versions less than 3.12.3-1

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged...

AZL-35949 CVE-2023-6597 affecting package python3 for versions less than 3.9.19-1

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged...

Python Security Vulnerabilities

Python is an open source, object-oriented programming language from the Python Foundation. The language is extensible, supports modules and packages, and supports multiple platforms. A security vulnerability exists in Python 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and earlier versions, which...

PT-2023-8833 · Python +10 · Cpython +10

Name of the Vulnerable Software and Affected Versions: CPython versions 3.12.1 through 3.12.1 CPython versions 3.11.7 through 3.11.7 CPython versions 3.10.13 through 3.10.13 CPython versions 3.9.18 through 3.9.18 CPython versions 3.8.18 and prior Description: The issue is related to the...

Important: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 1.3 on OCP 4.7-4.9. GitOps v1.3.4 Red Hat Product Security has rated this update as...

Important: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.4 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link...

Path traversal and dereference of symlinks in Argo CD

Impact All versions of Argo CD are vulnerable to a path traversal bug that allows to pass arbitrary values files to be consumed by Helm charts. Additionally, it is possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files...

Linux systemd Symlink Dereference Via chown_one() Exploit

Linux suffers from an issue with systemd where chownone can dereference symlinks. systemd: chownone can dereference symlinks CVE-2018-15687 I am sending this bug report to Ubuntu, even though it's an upstream bug, as requested at...