CVE-2025-27850

7.5 HIGH

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack

Published: 2026-05-13 · Last updated: 2026-06-02

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-59

Affected products

Vendor	Product
garmin	empirbus_wireless_display_unit_firmware

Description

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.

Source: NVD

References

Related CVEs

Same vendor

CVE-2025-27853 — The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed (7.3 HIGH)
CVE-2025-27852 — The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack (5.0 MEDIUM)
CVE-2025-27851 — The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack (9.3 CRITICAL)

Same CWE

CVE-2025-46293 — This issue was addressed with improved handling of symlinks (5.5 MEDIUM)
CVE-2026-45384 — bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files (6.1 MEDIUM)
CVE-2026-53476 — A flaw was found in assisted-migration-agent (9.6 CRITICAL)
CVE-2026-11853 — Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution (6.5 MEDIUM)
CVE-2026-11837 — A local privilege escalation vulnerability was found in the ansible.posix authorized_key module (7.3 HIGH)