CVE-2026-33694 PUBLISHED

Junction File Manipulation

Assigner: tenable
Reserved: 23.03.2026 Published: 23.04.2026 Updated: 24.04.2026

This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
CVSS Score: 7.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Tenable, Inc.
Product	Tenable Nessus, Tenable Nessus Agent
Versions	Default: unaffected affected from Nessus Agent to 11.1.2 (incl.) affected from Nessus to 10.11.3 (incl.)

References

Problem Types

CWE-59 Improper link resolution before file access ('link following') CWE