CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

216 matches found

CVE-2026-12958

CVE-2026-12958 affects Language Servers for AWS due to missing symlink validation, allowing arbitrary file write outside the workspace trust boundary when a user opens a workspace containing a crafted symlink. The issue is reported across multiple sources (CVE entry, NVD, and related databases). ...

8.5CVSS6AI score

Exploits0References2

EUVD•added 7 hours ago•4 views

EUVD-2026-38489

Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate...

8.5CVSS6AI score

Exploits0References2

NVD•added 6 days ago•8 views

CVE-2026-12567

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS0.0009EPSS

Exploits0References1

Positive Technologies•added 6 days ago•11 views

PT-2026-50562

Name of the Vulnerable Software and Affected Versions github workflows affected versions not specified Description The github workflows module constructs local directory paths using repository names provided by the user without validating for symlinks. A local attacker with access to the scan...

2.2CVSS5.2AI score0.0009EPSS

Exploits0References2

RedhatCVE•added 2026/06/05 7:21 p.m.•7 views

CVE-2026-41231

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

7.5CVSS5.6AI score0.00414EPSS

Exploits1References1

EUVD•added 2026/05/27 1:14 p.m.•12 views

EUVD-2026-32494

IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction...

9.8CVSS6.4AI score0.00592EPSS

Exploits0References1

Cvelist•added 2026/05/26 1:14 p.m.•39 views

CVE-2026-7374 Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability

A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to...

9.9CVSS0.00544EPSS

Exploits0References12

EUVD•added 2026/05/26 1:14 p.m.•7 views

EUVD-2026-31824

9.9CVSS5.8AI score0.00544EPSS

Exploits0References2

ATTACKERKB•added 2026/05/26 1:14 p.m.•8 views

CVE-2026-7374

9.9CVSS5.8AI score0.00544EPSS

Exploits0References13

Vulnrichment•added 2026/04/23 3:52 a.m.•3 views

CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron

7.5CVSS7.5AI score0.00414EPSS

Exploits1References3

CVE•added 2026/04/23 3:52 a.m.•11 views

CVE-2026-41231

Froxlor prior to 2.3.6 has an incomplete symlink validation in DataDump.add() that uses user-supplied input to build the export path without passing fixed_homedir to FileDir::makeCorrectDir(), bypassing the symlink checks added elsewhere. When ExportCron runs as root, it performs chown -R on the ...

7.5CVSS5.9AI score0.00414EPSS

Exploits1References3Affected Software1

ATTACKERKB•added 2026/04/23 3:52 a.m.•3 views

CVE-2026-41231

9.9CVSS5.9AI score0.00836EPSS

Exploits2References4Affected Software1

Cvelist•added 2026/04/23 3:52 a.m.•29 views

CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron

7.5CVSS0.00414EPSS

Exploits1References3

Positive Technologies•added 2026/04/23 12:0 a.m.•9 views

PT-2026-34635

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixed homedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

7.5CVSS5.9AI score0.00414EPSS

Exploits1References4

OSV•added 2026/04/16 12:47 a.m.•1 views

GHSA-75H4-C557-J89R Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron

Summary DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other customer-facing path operations likely as the fix for CVE-2023-6069. When the...

7.5CVSS6AI score0.00414EPSS

Exploits1References5

Github Security Blog•added 2026/04/16 12:47 a.m.•6 views

Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron

9.9CVSS6AI score0.00836EPSS

Exploits2References5Affected Software1

RedhatCVE•added 2026/03/26 3:16 p.m.•2 views

CVE-2026-28866

This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data...

6.2CVSS5.8AI score0.00232EPSS

Exploits0References1

EUVD•added 2026/03/25 3:31 a.m.•4 views

EUVD-2026-15145

6.2CVSS5.8AI score0.00232EPSS

Exploits0References6

NVD•added 2026/03/25 1:17 a.m.•2 views

CVE-2026-28866

6.2CVSS0.00232EPSS

Exploits0References5

Vulnrichment•added 2026/03/25 12:31 a.m.•1 views

CVE-2026-28866