CVE-2026-48693

May 27, 2026, 2:42 p.m.

5.5
Medium

Description

FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).

Product(s) Impacted

Vendor Product Versions
Pavel-odintsov
  • Fastnetmon
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-59
Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a pavel-odintsov fastnetmon / / / / community / / /

References

https://github.com/pavel-odintsov/fastnetmon
https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp
https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon_logic.cpp
https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48693-symlink-tmp

Tags

[email protected]
CWE-59
2026-05-26
CVE-2026-48693

CVSS Score

5.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: May 26, 2026, 5:16 p.m.
Last Modified: May 27, 2026, 2:42 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.