htmlheadline before 21.8 allows local users to overwrite arbitrary files via a symlink attack on temporary files.