7.5
CVE-2026-54572
- EPSS -
- Veröffentlicht 14.07.2026 21:37:41
- Zuletzt bearbeitet 14.07.2026 22:17:16
- CVE-Watchlists
- Unerledigt
rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untrusted remote
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an attacker-controlled remote to plant an escaping symlink and cause a following object write to land outside the destination with attacker-chosen contents. This issue is fixed in version 1.74.4.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerrclone
≫
Produkt
rclone
Version
< 1.74.4
Status
affected
VulnDex Vulnerability Enrichment
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 1.6 | 5.3 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
|
CWE-59 Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
https://github.com/rclone/rclone/security/advisories/GHSA-cf44-9pgv-m4xc
https://github.com/rclone/rclone/commit/1154afebee986180b489084d38e2a0c578751498
https://github.com/rclone/rclone/commit/874a804f5289517defdd7de68b2a374837080265
https://github.com/rclone/rclone/releases/tag/v1.74.4