CWE-427
Allowed-with-ReviewUncontrolled Search Path Element
Abstraction: Base · Status: Draft
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
1786 vulnerabilities reference this CWE, most recent first.
GHSA-HGWP-4VP4-QMM2
Vulnerability from github – Published: 2021-05-24 16:56 – Updated: 2023-03-02 21:10In cloudflared versions < 2020.8.1 (corresponding to 0.0.0-20200820025921-9323844ea773 on pkg.go.dev) on Windows, if an administrator has started cloudflared and set it to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration was due to the way that cloudflared reads its configuration file. One of the locations that cloudflared reads from (C:\etc) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user. Upon reading this config, cloudflared would output an error message to a log file defined in the malformed config. The user-controlled log file location could be set to a specific location that Windows will execute when any user logs in.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cloudflare/cloudflared"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200820025921-9323844ea773"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24356"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T16:52:03Z",
"nvd_published_at": "2020-10-02T15:15:00Z",
"severity": "HIGH"
},
"details": "In `cloudflared` versions \u003c 2020.8.1 (corresponding to 0.0.0-20200820025921-9323844ea773 on pkg.go.dev) on Windows, if an administrator has started `cloudflared` and set it to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration was due to the way that `cloudflared` reads its configuration file. One of the locations that `cloudflared` reads from (C:\\etc\\) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user. Upon reading this config, `cloudflared` would output an error message to a log file defined in the malformed config. The user-controlled log file location could be set to a specific location that Windows will execute when any user logs in.",
"id": "GHSA-hgwp-4vp4-qmm2",
"modified": "2023-03-02T21:10:45Z",
"published": "2021-05-24T16:56:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudflare/cloudflared/security/advisories/GHSA-hgwp-4vp4-qmm2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24356"
},
{
"type": "WEB",
"url": "https://github.com/cloudflare/cloudflared/commit/9323844ea773b1444460fa09295ab8c01a88d97e"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudflare/cloudflared"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Local Privilege Escalation in cloudflared"
}
GHSA-HHC7-9JF4-WHGX
Vulnerability from github – Published: 2025-04-01 03:31 – Updated: 2025-04-01 21:31Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238.
If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution.
Sub::HandlesVia uses Mite to produce the affected code section due to CVE-2025-30672
{
"affected": [],
"aliases": [
"CVE-2025-30673"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T03:15:16Z",
"severity": "MODERATE"
},
"details": "Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the current working directory (\u0027.\u0027) to be loaded similar to CVE-2016-1238.\n\nIf an attacker can place a malicious file in current working directory, it may be\u00a0loaded instead of the intended file, potentially leading to arbitrary\u00a0code execution.\n\nSub::HandlesVia uses Mite to produce the affected code section due to\u00a0CVE-2025-30672",
"id": "GHSA-hhc7-9jf4-whgx",
"modified": "2025-04-01T21:31:10Z",
"published": "2025-04-01T03:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30673"
},
{
"type": "WEB",
"url": "https://blogs.perl.org/users/todd_rinaldo/2016/11/what-happened-to-dot-in-inc.html"
},
{
"type": "WEB",
"url": "https://metacpan.org/dist/Sub-HandlesVia/changes#L12"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TOBYINK/Sub-HandlesVia-0.050001/source/lib/Sub/HandlesVia/Mite.pm#L114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHV5-QPMH-PC66
Vulnerability from github – Published: 2026-04-23 09:32 – Updated: 2026-04-29 21:31EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\SYSTEM.
{
"affected": [],
"aliases": [
"CVE-2025-10549"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T07:16:39Z",
"severity": "MODERATE"
},
"details": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.",
"id": "GHSA-hhv5-qpmh-pc66",
"modified": "2026-04-29T21:31:23Z",
"published": "2026-04-23T09:32:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10549"
},
{
"type": "WEB",
"url": "https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/controlio"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2026/Apr/19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHVV-GX6C-P7JJ
Vulnerability from github – Published: 2023-11-30 15:30 – Updated: 2023-11-30 15:30An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-4770"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T14:15:11Z",
"severity": "MODERATE"
},
"details": "An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.",
"id": "GHSA-hhvv-gx6c-p7jj",
"modified": "2023-11-30T15:30:24Z",
"published": "2023-11-30T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4770"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMH2-CJVV-P2C9
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-35969"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T17:16:13Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
"id": "GHSA-hmh2-cjvv-p2c9",
"modified": "2026-05-12T18:30:38Z",
"published": "2026-05-12T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35969"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01410.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HMJM-5WQX-FP83
Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-05-13 21:30Uncontrolled search path for some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2025-21099"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T21:16:09Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path for some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-hmjm-5wqx-fp83",
"modified": "2025-05-13T21:30:56Z",
"published": "2025-05-13T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21099"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01259.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HMPC-H8WW-8C7C
Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.4 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-21861"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:16:05Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.4 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-hmpc-h8ww-8c7c",
"modified": "2024-05-16T21:32:02Z",
"published": "2024-05-16T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21861"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01067.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMVW-RWMJ-GPHW
Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2025-04-17 18:31Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4.
End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.
{
"affected": [],
"aliases": [
"CVE-2024-12530"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T16:15:27Z",
"severity": "HIGH"
},
"details": "Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4.\n\nEnd-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.",
"id": "GHSA-hmvw-rwmj-gphw",
"modified": "2025-04-17T18:31:12Z",
"published": "2025-04-17T18:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12530"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000040073?"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HPG6-HP9W-VXQP
Vulnerability from github – Published: 2023-07-28 00:30 – Updated: 2025-02-13 18:31An installer that loads or executes files using an unconstrained search path may be vulnerable to substitute files under control of an attacker being loaded or executed instead of the intended files.
{
"affected": [],
"aliases": [
"CVE-2022-43703"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-27T22:15:12Z",
"severity": "HIGH"
},
"details": "An installer that loads or executes files using an unconstrained search path may be vulnerable to substitute files under control of an attacker being loaded or executed instead of the intended files.",
"id": "GHSA-hpg6-hp9w-vxqp",
"modified": "2025-02-13T18:31:43Z",
"published": "2023-07-28T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43703"
},
{
"type": "WEB",
"url": "https://developer.arm.com/documentation/ka005596/latest"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00930.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HQF8-533M-FQGC
Vulnerability from github – Published: 2025-11-04 21:31 – Updated: 2025-11-04 21:31NVIDIA NVApp for Windows contains a vulnerability in the installer, where a local attacker can cause a search path element issue. A successful exploit of this vulnerability might lead to code execution and escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2025-23358"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T20:17:14Z",
"severity": "HIGH"
},
"details": "NVIDIA NVApp for Windows contains a vulnerability in the installer, where a local attacker can cause a search path element issue. A successful exploit of this vulnerability might lead to code execution and escalation of privileges.",
"id": "GHSA-hqf8-533m-fqgc",
"modified": "2025-11-04T21:31:36Z",
"published": "2025-11-04T21:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23358"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5717"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Strategy: Attack Surface Reduction
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Strategy: Attack Surface Reduction
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.