CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-HMFR-96JF-XPG4
Vulnerability from github – Published: 2022-04-01 00:00 – Updated: 2022-04-08 00:00Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2022-25348"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-31T08:15:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-hmfr-96jf-xpg4",
"modified": "2022-04-08T00:00:30Z",
"published": "2022-04-01T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25348"
},
{
"type": "WEB",
"url": "https://hibara.org/software/attachecase/?lang=en"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN10140834/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMFV-7R88-HHRQ
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:42Untrusted search path vulnerability in Installer of Electronic reception and examination of application for radio licenses Online 1.0.9.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2019-5957"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-17T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Installer of Electronic reception and examination of application for radio licenses Online 1.0.9.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-hmfv-7r88-hhrq",
"modified": "2024-04-04T00:42:29Z",
"published": "2022-05-24T16:46:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5957"
},
{
"type": "WEB",
"url": "https://www.denpa.soumu.go.jp/public/prog/onlineInstaller_download.html"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN91361851/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMR2-87PR-XXXM
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2025-04-20 03:37Untrusted search path vulnerability in Vivaldi installer for Windows prior to version 1.7.735.48 allows an attacker to execute arbitrary code via a specially crafted executable file in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2156"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-28T16:59:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Vivaldi installer for Windows prior to version 1.7.735.48 allows an attacker to execute arbitrary code via a specially crafted executable file in an unspecified directory.",
"id": "GHSA-hmr2-87pr-xxxm",
"modified": "2025-04-20T03:37:01Z",
"published": "2022-05-17T02:46:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2156"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN71572107/index.html"
},
{
"type": "WEB",
"url": "https://vivaldi.com/security/vulnerability-disclosure-vivaldi-installer-for-windows-could-run-arbitrary-downloaded-code-jvn71572107"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HPR7-5G9M-R2J8
Vulnerability from github – Published: 2025-05-05 12:30 – Updated: 2025-05-05 12:30A vulnerability was found in Mechrevo Control Console 1.0.2.70. It has been rated as critical. Affected by this issue is some unknown functionality in the library C:\Program Files\OEM\MECHREVO Control Center\UniwillService\MyControlCenter\csCAPI.dll of the component GCUService. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-4272"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-05T11:15:45Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Mechrevo Control Console 1.0.2.70. It has been rated as critical. Affected by this issue is some unknown functionality in the library C:\\Program Files\\OEM\\MECHREVO Control Center\\UniwillService\\MyControlCenter\\csCAPI.dll of the component GCUService. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-hpr7-5g9m-r2j8",
"modified": "2025-05-05T12:30:34Z",
"published": "2025-05-05T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4272"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1VKhLyW0oglACkt-5PgTtN9oRB2jMczeh/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.307376"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.307376"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.563468"
},
{
"type": "WEB",
"url": "https://www.yuque.com/ba1ma0-an29k/nnxoap/bhd5ckqugggmpttp?singleDoc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HQ49-4FX9-HW5V
Vulnerability from github – Published: 2022-05-14 01:02 – Updated: 2022-05-14 01:02Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2015-0096"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-03-11T10:59:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka \"DLL Planting Remote Code Execution Vulnerability.\"",
"id": "GHSA-hq49-4fx9-hw5v",
"modified": "2022-05-14T01:02:52Z",
"published": "2022-05-14T01:02:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0096"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-020"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/72894"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1031890"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HQ5M-J87X-CF2W
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have a path traversal vulnerability. The system does not sufficiently validate certain pathname, successful exploit could allow the attacker access files and cause information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-9106"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have a path traversal vulnerability. The system does not sufficiently validate certain pathname, successful exploit could allow the attacker access files and cause information disclosure.",
"id": "GHSA-hq5m-j87x-cf2w",
"modified": "2022-05-24T17:30:33Z",
"published": "2022-05-24T17:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9106"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200930-01-pathtraversal-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HQV2-M338-MJ94
Vulnerability from github – Published: 2022-05-17 01:18 – Updated: 2022-05-17 01:18Untrusted search path vulnerability in Optimal Guard 1.1.21 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-10836"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-29T01:35:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Optimal Guard 1.1.21 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-hqv2-m338-mj94",
"modified": "2022-05-17T01:18:59Z",
"published": "2022-05-17T01:18:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10836"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN87540575/index.html"
},
{
"type": "WEB",
"url": "https://www.optim.co.jp/contents/23246"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HQVX-XG7F-6MMM
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2023-02-02 18:31A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features.
{
"affected": [],
"aliases": [
"CVE-2019-6165"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-19T15:15:00Z",
"severity": "HIGH"
},
"details": "A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features.",
"id": "GHSA-hqvx-xg7f-6mmm",
"modified": "2023-02-02T18:31:07Z",
"published": "2022-05-24T16:53:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6165"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/solutions/LEN-27569"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HV44-V25J-F7M2
Vulnerability from github – Published: 2025-01-31 15:30 – Updated: 2025-01-31 15:30Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.
{
"affected": [],
"aliases": [
"CVE-2025-24829"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-31T13:15:27Z",
"severity": "MODERATE"
},
"details": "Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.",
"id": "GHSA-hv44-v25j-f7m2",
"modified": "2025-01-31T15:30:44Z",
"published": "2025-01-31T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24829"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-7839"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXF4-PC5P-7F5C
Vulnerability from github – Published: 2022-11-09 19:02 – Updated: 2022-11-10 19:01A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.
{
"affected": [],
"aliases": [
"CVE-2022-31253"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-09T14:15:00Z",
"severity": "HIGH"
},
"details": "A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.",
"id": "GHSA-hxf4-pc5p-7f5c",
"modified": "2022-11-10T19:01:08Z",
"published": "2022-11-09T19:02:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31253"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1202931"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.