Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

892 vulnerabilities reference this CWE, most recent first.

GHSA-HMFR-96JF-XPG4

Vulnerability from github – Published: 2022-04-01 00:00 – Updated: 2022-04-08 00:00
VLAI
Details

Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-31T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-hmfr-96jf-xpg4",
  "modified": "2022-04-08T00:00:30Z",
  "published": "2022-04-01T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25348"
    },
    {
      "type": "WEB",
      "url": "https://hibara.org/software/attachecase/?lang=en"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN10140834/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMFV-7R88-HHRQ

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:42
VLAI
Details

Untrusted search path vulnerability in Installer of Electronic reception and examination of application for radio licenses Online 1.0.9.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-17T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Installer of Electronic reception and examination of application for radio licenses Online 1.0.9.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-hmfv-7r88-hhrq",
  "modified": "2024-04-04T00:42:29Z",
  "published": "2022-05-24T16:46:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5957"
    },
    {
      "type": "WEB",
      "url": "https://www.denpa.soumu.go.jp/public/prog/onlineInstaller_download.html"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN91361851/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMR2-87PR-XXXM

Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2025-04-20 03:37
VLAI
Details

Untrusted search path vulnerability in Vivaldi installer for Windows prior to version 1.7.735.48 allows an attacker to execute arbitrary code via a specially crafted executable file in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-28T16:59:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Vivaldi installer for Windows prior to version 1.7.735.48 allows an attacker to execute arbitrary code via a specially crafted executable file in an unspecified directory.",
  "id": "GHSA-hmr2-87pr-xxxm",
  "modified": "2025-04-20T03:37:01Z",
  "published": "2022-05-17T02:46:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2156"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN71572107/index.html"
    },
    {
      "type": "WEB",
      "url": "https://vivaldi.com/security/vulnerability-disclosure-vivaldi-installer-for-windows-could-run-arbitrary-downloaded-code-jvn71572107"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HPR7-5G9M-R2J8

Vulnerability from github – Published: 2025-05-05 12:30 – Updated: 2025-05-05 12:30
VLAI
Details

A vulnerability was found in Mechrevo Control Console 1.0.2.70. It has been rated as critical. Affected by this issue is some unknown functionality in the library C:\Program Files\OEM\MECHREVO Control Center\UniwillService\MyControlCenter\csCAPI.dll of the component GCUService. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-05T11:15:45Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Mechrevo Control Console 1.0.2.70. It has been rated as critical. Affected by this issue is some unknown functionality in the library C:\\Program Files\\OEM\\MECHREVO Control Center\\UniwillService\\MyControlCenter\\csCAPI.dll of the component GCUService. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-hpr7-5g9m-r2j8",
  "modified": "2025-05-05T12:30:34Z",
  "published": "2025-05-05T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4272"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1VKhLyW0oglACkt-5PgTtN9oRB2jMczeh/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.307376"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.307376"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.563468"
    },
    {
      "type": "WEB",
      "url": "https://www.yuque.com/ba1ma0-an29k/nnxoap/bhd5ckqugggmpttp?singleDoc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HQ49-4FX9-HW5V

Vulnerability from github – Published: 2022-05-14 01:02 – Updated: 2022-05-14 01:02
VLAI
Details

Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-0096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-03-11T10:59:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka \"DLL Planting Remote Code Execution Vulnerability.\"",
  "id": "GHSA-hq49-4fx9-hw5v",
  "modified": "2022-05-14T01:02:52Z",
  "published": "2022-05-14T01:02:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0096"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-020"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/72894"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031890"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HQ5M-J87X-CF2W

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have a path traversal vulnerability. The system does not sufficiently validate certain pathname, successful exploit could allow the attacker access files and cause information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-12T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have a path traversal vulnerability. The system does not sufficiently validate certain pathname, successful exploit could allow the attacker access files and cause information disclosure.",
  "id": "GHSA-hq5m-j87x-cf2w",
  "modified": "2022-05-24T17:30:33Z",
  "published": "2022-05-24T17:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9106"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200930-01-pathtraversal-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HQV2-M338-MJ94

Vulnerability from github – Published: 2022-05-17 01:18 – Updated: 2022-05-17 01:18
VLAI
Details

Untrusted search path vulnerability in Optimal Guard 1.1.21 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-29T01:35:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Optimal Guard 1.1.21 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-hqv2-m338-mj94",
  "modified": "2022-05-17T01:18:59Z",
  "published": "2022-05-17T01:18:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10836"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN87540575/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.optim.co.jp/contents/23246"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQVX-XG7F-6MMM

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2023-02-02 18:31
VLAI
Details

A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-19T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features.",
  "id": "GHSA-hqvx-xg7f-6mmm",
  "modified": "2023-02-02T18:31:07Z",
  "published": "2022-05-24T16:53:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6165"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/solutions/LEN-27569"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HV44-V25J-F7M2

Vulnerability from github – Published: 2025-01-31 15:30 – Updated: 2025-01-31 15:30
VLAI
Details

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T13:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.",
  "id": "GHSA-hv44-v25j-f7m2",
  "modified": "2025-01-31T15:30:44Z",
  "published": "2025-01-31T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24829"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7839"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HXF4-PC5P-7F5C

Vulnerability from github – Published: 2022-11-09 19:02 – Updated: 2022-11-10 19:01
VLAI
Details

A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.",
  "id": "GHSA-hxf4-pc5p-7f5c",
  "modified": "2022-11-10T19:01:08Z",
  "published": "2022-11-09T19:02:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31253"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1202931"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.