CVE-2026-54572
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-59
Incorrecta resolución de una ruta antes de aceder a un fichero (Seguimiento de enlaces)
Fecha de publicación:
14/07/2026
Última modificación:
15/07/2026
Descripción
*** Pendiente de traducción *** Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an attacker-controlled remote to plant an escaping symlink and cause a following object write to land outside the destination with attacker-chosen contents. This issue is fixed in version 1.74.4.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/rclone/rclone/commit/1154afebee986180b489084d38e2a0c578751498
- https://github.com/rclone/rclone/commit/874a804f5289517defdd7de68b2a374837080265
- https://github.com/rclone/rclone/releases/tag/v1.74.4
- https://github.com/rclone/rclone/security/advisories/GHSA-cf44-9pgv-m4xc
- https://github.com/rclone/rclone/security/advisories/GHSA-cf44-9pgv-m4xc



