Common Weakness Enumeration

CWE-427

Allowed-with-Review

Uncontrolled Search Path Element

Abstraction: Base · Status: Draft

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

1782 vulnerabilities reference this CWE, most recent first.

CVE-2025-49571 (GCVE-0-2025-49571)

Vulnerability from cvelistv5 – Published: 2025-08-12 20:36 – Updated: 2026-02-26 17:48
VLAI
Title
Substance3D - Modeler | Uncontrolled Search Path Element (CWE-427)
Summary
Substance3D - Modeler versions 1.22.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses an uncontrolled search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element (CWE-427)
Assigner
References
Impacted products
Vendor Product Version
Adobe Substance3D - Modeler Affected: 0 , ≤ 1.22.0 (semver)
Create a notification for this product.
Date Public
2025-08-12 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49571",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T15:04:48.261283Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:48:55.292Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Substance3D - Modeler",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "1.22.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-08-12T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Substance3D - Modeler versions 1.22.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses an uncontrolled search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "Uncontrolled Search Path Element (CWE-427)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-12T20:36:07.533Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-76.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Substance3D - Modeler | Uncontrolled Search Path Element (CWE-427)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49571",
    "datePublished": "2025-08-12T20:36:07.533Z",
    "dateReserved": "2025-06-06T15:42:09.519Z",
    "dateUpdated": "2026-02-26T17:48:55.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-49487 (GCVE-0-2025-49487)

Vulnerability from cvelistv5 – Published: 2025-06-17 18:43 – Updated: 2025-06-17 19:52 Exclusively Hosted Service
VLAI
Summary
An uncontrolled search path vulnerability in the Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an attacker with physical access to a machine to execute arbitrary code on affected installations. An attacker must have had physical access to the target system in order to exploit this vulnerability due to need to access a certain hardware component. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a previous WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
Impacted products
Vendor Product Version
Trend Micro, Inc. Trend Micro Worry-Free Business Security Services Affected: SaaS , < 6.7.3954 / 14.3.1299 (semver)
    cpe:2.3:a:trendmicro:wfbs_saas:20240325:ga:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49487",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T19:52:26.648133Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T19:52:40.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:trendmicro:wfbs_saas:20240325:ga:*:*:*:*:*:*"
          ],
          "product": "Trend Micro Worry-Free Business Security Services",
          "vendor": "Trend Micro, Inc.",
          "versions": [
            {
              "lessThan": "6.7.3954 / 14.3.1299",
              "status": "affected",
              "version": "SaaS",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An uncontrolled search path vulnerability in the Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an attacker with physical access to a machine to execute arbitrary code on affected installations.\r\n\r\nAn attacker must have had physical access to the target system in order to exploit this vulnerability due to need to access a certain hardware component.\r\n\r\nAlso note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a previous WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-17T18:43:11.176Z",
        "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
        "shortName": "trendmicro"
      },
      "references": [
        {
          "url": "https://success.trendmicro.com/en-US/solution/KA-0019936"
        },
        {
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-360/"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
    "assignerShortName": "trendmicro",
    "cveId": "CVE-2025-49487",
    "datePublished": "2025-06-17T18:43:11.176Z",
    "dateReserved": "2025-06-05T14:08:10.764Z",
    "dateUpdated": "2025-06-17T19:52:40.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49158 (GCVE-0-2025-49158)

Vulnerability from cvelistv5 – Published: 2025-06-17 18:42 – Updated: 2025-06-17 19:55
VLAI
Summary
An uncontrolled search path vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalation privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
Impacted products
Vendor Product Version
Trend Micro, Inc. Trend Micro Apex One Affected: 2019 (14.0) , < 14.0.0.14002 (semver)
    cpe:2.3:a:trendmicro:apexone_op:14.0.0.14002:p3:*:*:*:*:*:*
Create a notification for this product.
Trend Micro, Inc. Trend Micro Apex One as a Service Affected: SaaS , < 14.0.14492 (semver)
    cpe:2.3:a:trendmicro:apexone_saas:14.0.0.14492:ga:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49158",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T19:55:27.119354Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T19:55:43.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:trendmicro:apexone_op:14.0.0.14002:p3:*:*:*:*:*:*"
          ],
          "product": "Trend Micro Apex One",
          "vendor": "Trend Micro, Inc.",
          "versions": [
            {
              "lessThan": "14.0.0.14002",
              "status": "affected",
              "version": "2019 (14.0)",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:trendmicro:apexone_saas:14.0.0.14492:ga:*:*:*:*:*:*"
          ],
          "product": "Trend Micro Apex One as a Service",
          "vendor": "Trend Micro, Inc.",
          "versions": [
            {
              "lessThan": "14.0.14492",
              "status": "affected",
              "version": "SaaS",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An uncontrolled search path vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalation privileges on affected installations.\r\n\r\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-17T18:42:56.705Z",
        "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
        "shortName": "trendmicro"
      },
      "references": [
        {
          "url": "https://success.trendmicro.com/en-US/solution/KA-0019917"
        },
        {
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-365/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
    "assignerShortName": "trendmicro",
    "cveId": "CVE-2025-49158",
    "datePublished": "2025-06-17T18:42:56.705Z",
    "dateReserved": "2025-06-02T17:43:08.724Z",
    "dateUpdated": "2025-06-17T19:55:43.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49155 (GCVE-0-2025-49155)

Vulnerability from cvelistv5 – Published: 2025-06-17 18:42 – Updated: 2025-06-17 20:22
VLAI
Summary
An uncontrolled search path vulnerability in the Trend Micro Apex One Data Loss Prevention module could allow an attacker to inject malicious code leading to arbitrary code execution on affected installations.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
Impacted products
Vendor Product Version
Trend Micro, Inc. Trend Micro Apex One Affected: 2019 (14.0) , < 14.0.0.14002 (semver)
    cpe:2.3:a:trendmicro:apexone_op:14.0.0.14002:p3:*:*:*:*:*:*
Create a notification for this product.
Trend Micro, Inc. Trend Micro Apex One as a Service Affected: SaaS , < 14.0.14492 (semver)
    cpe:2.3:a:trendmicro:apexone_saas:14.0.0.14492:ga:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49155",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T20:22:23.426414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T20:22:40.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:trendmicro:apexone_op:14.0.0.14002:p3:*:*:*:*:*:*"
          ],
          "product": "Trend Micro Apex One",
          "vendor": "Trend Micro, Inc.",
          "versions": [
            {
              "lessThan": "14.0.0.14002",
              "status": "affected",
              "version": "2019 (14.0)",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:trendmicro:apexone_saas:14.0.0.14492:ga:*:*:*:*:*:*"
          ],
          "product": "Trend Micro Apex One as a Service",
          "vendor": "Trend Micro, Inc.",
          "versions": [
            {
              "lessThan": "14.0.14492",
              "status": "affected",
              "version": "SaaS",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An uncontrolled search path vulnerability in the Trend Micro Apex One Data Loss Prevention module could allow an attacker to inject malicious code leading to arbitrary code execution on affected installations."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-17T18:42:31.517Z",
        "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
        "shortName": "trendmicro"
      },
      "references": [
        {
          "url": "https://success.trendmicro.com/en-US/solution/KA-0019917"
        },
        {
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-362/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
    "assignerShortName": "trendmicro",
    "cveId": "CVE-2025-49155",
    "datePublished": "2025-06-17T18:42:31.517Z",
    "dateReserved": "2025-06-02T17:43:08.724Z",
    "dateUpdated": "2025-06-17T20:22:40.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49148 (GCVE-0-2025-49148)

Vulnerability from cvelistv5 – Published: 2025-06-11 14:53 – Updated: 2025-06-11 15:05
VLAI
Title
ClipShare Server Allows Local Privilege Escalation via DLL Hijacking
Summary
ClipShare is a lightweight and cross-platform tool for clipboard sharing. Prior to 3.8.5, ClipShare Server for Windows uses the default Windows DLL search order and loads system libraries like CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. A local, non-privileged user who can write to the folder containing clip_share.exe can place malicious DLLs there, leading to arbitrary code execution in the context of the server, and, if launched by an Administrator (or another elevated user), it results in a reliable local privilege escalation. This vulnerability is fixed in 3.8.5.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49148",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-11T15:04:46.497749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-11T15:05:08.241Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "clip_share_server",
          "vendor": "thevindu-w",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.8.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ClipShare is a lightweight and cross-platform tool for clipboard sharing. Prior to 3.8.5, ClipShare Server for Windows uses the default Windows DLL search order and loads system libraries like CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. A local, non-privileged user who can write to the folder containing clip_share.exe can place malicious DLLs there, leading to arbitrary code execution in the context of the server, and, if launched by an Administrator (or another elevated user), it results in a reliable local privilege escalation. This vulnerability is fixed in 3.8.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-11T14:53:48.591Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/thevindu-w/clip_share_server/security/advisories/GHSA-rc47-h83g-2r8j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/thevindu-w/clip_share_server/security/advisories/GHSA-rc47-h83g-2r8j"
        }
      ],
      "source": {
        "advisory": "GHSA-rc47-h83g-2r8j",
        "discovery": "UNKNOWN"
      },
      "title": "ClipShare Server Allows Local Privilege Escalation via DLL Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49148",
    "datePublished": "2025-06-11T14:53:48.591Z",
    "dateReserved": "2025-06-02T10:39:41.635Z",
    "dateUpdated": "2025-06-11T15:05:08.241Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49144 (GCVE-0-2025-49144)

Vulnerability from cvelistv5 – Published: 2025-06-23 19:01 – Updated: 2026-02-26 17:50
VLAI
Title
Notepad++ Privilege Escalation in Installer via Uncontrolled Executable Search Path
Summary
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-272 - Least Privilege Violation
  • CWE-276 - Incorrect Default Permissions
  • CWE-427 - Uncontrolled Search Path Element
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49144",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-01T03:55:56.996774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:50:26.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-12-24T14:46:08.689Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49144-detect-notepad-vulnerability"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49144-mitigate-notepad-vulnerability"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49144-detect-notepad-vulnerability-1"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49144-mitigate-notepad-vulnerability-1"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "notepad-plus-plus",
          "vendor": "notepad-plus-plus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-272",
              "description": "CWE-272: Least Privilege Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276: Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-23T19:01:16.276Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24"
        },
        {
          "name": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/f2346ea00d5b4d907ed39d8726b38d77c8198f30",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/f2346ea00d5b4d907ed39d8726b38d77c8198f30"
        },
        {
          "name": "https://drive.google.com/drive/folders/11yeUSWgqHvt4Bz5jO3ilRRfcpQZ6Gvpn",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://drive.google.com/drive/folders/11yeUSWgqHvt4Bz5jO3ilRRfcpQZ6Gvpn"
        }
      ],
      "source": {
        "advisory": "GHSA-9vx8-v79m-6m24",
        "discovery": "UNKNOWN"
      },
      "title": "Notepad++ Privilege Escalation in Installer via Uncontrolled Executable Search Path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49144",
    "datePublished": "2025-06-23T19:01:16.276Z",
    "dateReserved": "2025-06-02T10:39:41.634Z",
    "dateUpdated": "2026-02-26T17:50:26.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-48503 (GCVE-0-2025-48503)

Vulnerability from cvelistv5 – Published: 2026-02-11 14:26 – Updated: 2026-02-26 14:44
VLAI
Summary
A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
AMD
Impacted products
Vendor Product Version
AMD AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Renoir") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7035 Series Processors with Radeon™ Graphics (formerly codenamed "Rembrandt R") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Picasso") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Phoenix") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics (formerly codenamed "Mendocino") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7045 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Dragon Range") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7000 Series Desktop Processors (formerly codenamed "Raphael"/"Raphael X3D") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7030 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Barcelo R") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ AI 300 Series Processors (formerly codenamed "Strix Point") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 7000 Series Desktop Processors (formerly codenamed "Raphael"/"Raphael-X3D") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 8000 Series Desktop Processors (formerly codenamed "Phoenix") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 9000 Series Desktop Processors (formerly codenamed "Granite Ridge") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Cezanne") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Lucienne") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Barcelo") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Desktop Processors (formerly codenamed "Renoir") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Desktop Processors with Radeon™ Graphics (formerly codenamed "Cezanne") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Hawk Point") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Dali") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics (formerly codenamed "Dali") Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ RX 5000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ RX 6000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ RX 7000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD Placeholder Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ PRO W5000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ PRO W6000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ PRO W7000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
AMD AMD Radeon™ RX 9000 Series Graphics Products Unaffected: amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe
Create a notification for this product.
Date Public
2026-02-11 14:10
Credits
Reported through AMD Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48503",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T04:55:16.307671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:26.626Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Renoir\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7035 Series Processors with Radeon\u2122 Graphics (formerly codenamed \"Rembrandt R\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Picasso\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Phoenix\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics (formerly codenamed \"Mendocino\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7045 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Dragon Range\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors (formerly codenamed \"Raphael\"/\"Raphael X3D\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7030 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Barcelo R\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 AI 300 Series Processors (formerly codenamed \"Strix Point\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors (formerly codenamed \"Raphael\"/\"Raphael-X3D\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Desktop Processors (formerly codenamed \"Phoenix\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Desktop Processors (formerly codenamed \"Phoenix\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 9000 Series Desktop Processors (formerly codenamed \"Granite Ridge\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Cezanne\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Lucienne\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Barcelo\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Desktop Processors (formerly codenamed \"Renoir\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors with Radeon\u2122 Graphics (formerly codenamed \"Cezanne\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Hawk Point\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Dali\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics (formerly codenamed \"Dali\")",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 RX 5000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 RX 6000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 RX 7000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Placeholder",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 PRO W5000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 PRO W6000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 PRO W7000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 RX 9000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "amd-software-adrenalin-edition-25.5.1-minimalsetup-250513_web.exe"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Reported through AMD Bug Bounty Program"
        }
      ],
      "datePublic": "2026-02-11T14:10:19.294Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.\u003cbr\u003e"
            }
          ],
          "value": "A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427  Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-11T14:26:49.430Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "AMD PSIRT Automation 1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2025-48503",
    "datePublished": "2026-02-11T14:26:49.430Z",
    "dateReserved": "2025-05-22T16:34:02.895Z",
    "dateUpdated": "2026-02-26T14:44:26.626Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-48496 (GCVE-0-2025-48496)

Vulnerability from cvelistv5 – Published: 2025-07-10 23:43 – Updated: 2025-07-11 13:54
VLAI
Title
Emerson ValveLink Products Uncontrolled Search Path Element
Summary
Emerson ValveLink products use a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Emerson ValveLink SOLO Affected: 0 , < ValveLink 14.0 (custom)
Create a notification for this product.
Emerson ValveLink DTM Affected: 0 , < ValveLink 14.0 (custom)
Create a notification for this product.
Emerson ValveLink PRM Affected: 0 , < ValveLink 14.0 (custom)
Create a notification for this product.
Emerson ValveLink SNAP-ON Affected: 0 , < ValveLink 14.0 (custom)
Create a notification for this product.
Credits
Emerson reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48496",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T13:53:53.258810Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-11T13:54:00.868Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ValveLink SOLO",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThan": "ValveLink 14.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ValveLink DTM",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThan": "ValveLink 14.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ValveLink PRM",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThan": "ValveLink 14.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ValveLink SNAP-ON",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThan": "ValveLink 14.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Emerson reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Emerson ValveLink products \nuse a fixed or controlled search path to find resources, but one or \nmore locations in that path can be under the control of unintended \nactors."
            }
          ],
          "value": "Emerson ValveLink products \nuse a fixed or controlled search path to find resources, but one or \nmore locations in that path can be under the control of unintended \nactors."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T23:43:33.592Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01"
        },
        {
          "url": "https://www.emerson.com/en-us/support/security-notifications"
        },
        {
          "url": "https://www.emerson.com/en-us/support/software-downloads-drivers"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/software-downloads-drivers\"\u003ewebsite\u003c/a\u003e\u0026nbsp;.\u003cp\u003eFor more information see the associated \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson security notification.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson  website https://www.emerson.com/en-us/support/software-downloads-drivers \u00a0.For more information see the associated  Emerson security notification. https://www.emerson.com/en-us/support/security-notifications"
        }
      ],
      "source": {
        "advisory": "ICSA-25-189-01",
        "discovery": "INTERNAL"
      },
      "title": "Emerson ValveLink Products Uncontrolled Search Path Element",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-48496",
    "datePublished": "2025-07-10T23:43:33.592Z",
    "dateReserved": "2025-06-30T14:34:56.236Z",
    "dateUpdated": "2025-07-11T13:54:00.868Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-43553 (GCVE-0-2025-43553)

Vulnerability from cvelistv5 – Published: 2025-05-13 20:24 – Updated: 2025-05-13 20:54
VLAI
Title
Substance3D - Modeler | Uncontrolled Search Path Element (CWE-427)
Summary
Substance3D - Modeler versions 1.21.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application relies on a search path to locate critical resources such as libraries or executables, an attacker could manipulate the search path to load a malicious resource, potentially executing arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element (CWE-427)
Assigner
References
Impacted products
Vendor Product Version
Adobe Substance3D - Modeler Affected: 0 , ≤ 1.21.0 (semver)
Create a notification for this product.
Date Public
2025-05-13 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T20:54:33.759368Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-13T20:54:39.783Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Substance3D - Modeler",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "1.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-05-13T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Substance3D - Modeler versions 1.21.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application relies on a search path to locate critical resources such as libraries or executables, an attacker could manipulate the search path to load a malicious resource, potentially executing arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "Uncontrolled Search Path Element (CWE-427)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-13T20:24:23.668Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-51.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Substance3D - Modeler | Uncontrolled Search Path Element (CWE-427)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-43553",
    "datePublished": "2025-05-13T20:24:23.668Z",
    "dateReserved": "2025-04-16T16:23:13.179Z",
    "dateUpdated": "2025-05-13T20:54:39.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-41670 (GCVE-0-2025-41670)

Vulnerability from cvelistv5 – Published: 2026-05-27 07:17 – Updated: 2026-05-27 12:04
VLAI
Title
Untrusted Search Path
Summary
A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
Vendor Product Version
Phoenix Contact AXC F 1152 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact AXC F 1252 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact AXC F 2000 EA Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact AXC F 2152 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact AXC F 3152 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact BPC 9102S Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact EPC 1522 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact RFC 4072R Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact RFC 4072S Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact VL3 UPC 2440 EDGE Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact VPLCNEXT CONTROL 1000 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact VPLCNEXT CONTROL 2000 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact VPLCNEXT CONTROL 3000 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Phoenix Contact VPLCNEXT CONTROL 500 Affected: 0.0.0 , < 2026.0.3 (semver)
Create a notification for this product.
Credits
Diego Giubertoni from Nozomi
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-41670",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T11:53:31.526293Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T12:04:21.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 1152",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 1252",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 2000 EA",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 2152",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 3152",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "BPC 9102S",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EPC 1522",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RFC 4072R",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RFC 4072S",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VL3 UPC 2440 EDGE",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 1000",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 2000",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 3000",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 500",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_1152:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_1252:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_2000_ea:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_2152:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_3152:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:bpc_9102s:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:epc_1522:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:rfc_4072r:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:rfc_4072s:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vl3_upc_2440_edge:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_1000:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_2000:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_3000:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_500:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Diego Giubertoni from Nozomi"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.\u003c/p\u003e"
            }
          ],
          "value": "A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427 Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T07:17:43.775Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-050/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-050",
        "defect": [
          "CERT@VDE#641839"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Untrusted Search Path",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2025-41670",
    "datePublished": "2026-05-27T07:17:43.775Z",
    "dateReserved": "2025-04-16T11:17:48.308Z",
    "dateUpdated": "2026-05-27T12:04:21.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Strategy: Attack Surface Reduction

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.

CAPEC-471: Search Order Hijacking

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.