CWE-61 (UNIX Symbolic Link (Symlink) Following) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-5223 | 2026-05-25 | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The … |
| CVE-2026-8784 | 2026-05-18 | A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack re… |
| CVE-2026-41937 | 2026-05-14 | Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP fi… |
| CVE-2026-6475 | 2026-05-14 | Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system accoun… |
| CVE-2026-7819 | 2026-05-11 | Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager. check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent ke… |
| CVE-2026-29203 | 2026-05-08 | A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege esc… |
| CVE-2026-42275 | 2026-05-08 | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization bu… |
| CVE-2026-31893 | 2026-05-05 | Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following… |
| CVE-2026-7832 | 2026-05-05 | A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking… |
| CVE-2026-43570 | 2026-05-05 | OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attac… |
| CVE-2026-7397 | 2026-04-29 | A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. … |
| CVE-2026-41326 | 2026-04-24 | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile… |
| CVE-2026-35372 | 2026-04-22 | A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation prev… |
| CVE-2026-39861 | 2026-04-21 | Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claud… |
| CVE-2026-28684 | 2026-04-20 | python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewrit… |
| CVE-2026-40354 | 2026-04-11 | Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash. |
| CVE-2026-35632 | 2026-04-09 | OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers wi… |
| CVE-2026-21916 | 2026-04-09 | A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which wil… |
| CVE-2026-39860 | 2026-04-08 | Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically… |
| CVE-2026-35525 | 2026-04-08 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is i… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Observed_Example, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Observed_Examples |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Observed_Examples, References |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Modes_of_Introduction, Other_Notes |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Research_Gaps |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Affected_Resources, Functional_Areas, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Detection_Factors, Relationships |