CWE-427
Allowed-with-ReviewUncontrolled Search Path Element
Abstraction: Base · Status: Draft
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
1786 vulnerabilities reference this CWE, most recent first.
GHSA-M59V-VRFW-F5J3
Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32Uncontrolled search path in some Intel(R) Processor Identification Utility software before versions 6.10.34.1129, 7.1.6 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-21774"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:16:02Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path in some Intel(R) Processor Identification Utility software before versions 6.10.34.1129, 7.1.6 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-m59v-vrfw-f5j3",
"modified": "2024-05-16T21:32:01Z",
"published": "2024-05-16T21:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21774"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01054.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5CV-RQ77-5Q44
Vulnerability from github – Published: 2025-09-10 12:30 – Updated: 2026-01-29 18:31DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the 'C:\Users\\AppData\Local\UPDF\FREngine\Bin64\' directory, which could lead to arbitrary code execution and persistence.
{
"affected": [],
"aliases": [
"CVE-2025-10214"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T12:15:32Z",
"severity": "HIGH"
},
"details": "DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the \u0027C:\\Users\\\u003cuser\u003e\\AppData\\Local\\UPDF\\FREngine\\Bin64\\\u0027 directory, which could lead to arbitrary code execution and persistence.",
"id": "GHSA-m5cv-rq77-5q44",
"modified": "2026-01-29T18:31:30Z",
"published": "2025-09-10T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10214"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-updf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M678-F26J-3HRP
Vulnerability from github – Published: 2022-10-26 22:07 – Updated: 2024-09-24 20:39Impact
What kind of vulnerability is it? Who is impacted?
We’d like to disclose an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jupyter_core>=4.11.2.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No
References
Are there any links users can visit to find out more? Similar advisory in IPython
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jupyter-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39286"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269",
"CWE-427"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-26T22:07:00Z",
"nvd_published_at": "2022-10-26T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nWe\u2019d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.\n\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nUsers should upgrade to `jupyter_core\u003e=4.11.2`.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nNo\n\n### References\n_Are there any links users can visit to find out more?_\nSimilar advisory in [IPython](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)\n\n",
"id": "GHSA-m678-f26j-3hrp",
"modified": "2024-09-24T20:39:29Z",
"published": "2022-10-26T22:07:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39286"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/jupyter_core"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-core/PYSEC-2022-42974.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202301-04"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5422"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Execution with Unnecessary Privileges in JupyterApp"
}
GHSA-M6JF-WJ3W-42J2
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 18:31When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.
This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.
{
"affected": [],
"aliases": [
"CVE-2022-36314"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.\u003cbr\u003eThis bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR \u003c 102.1, Firefox \u003c 103, and Thunderbird \u003c 102.1.",
"id": "GHSA-m6jf-wj3w-42j2",
"modified": "2025-04-15T18:31:31Z",
"published": "2022-12-22T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36314"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1773894"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-28"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M78J-WWFX-36XP
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4.x, 3.3.x, Dell SupportAssist Client for Business PCs versions 2.0.x, 2.1.x, 2.2.x, and Dell SupportAssist Client ProManage 1.x contain a DLL injection vulnerability in the Costura Fody plugin. A local user with low privileges could potentially exploit this vulnerability, leading to the execution of arbitrary executable on the operating system with SYSTEM privileges.
{
"affected": [],
"aliases": [
"CVE-2021-21518"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4.x, 3.3.x, Dell SupportAssist Client for Business PCs versions 2.0.x, 2.1.x, 2.2.x, and Dell SupportAssist Client ProManage 1.x contain a DLL injection vulnerability in the Costura Fody plugin. A local user with low privileges could potentially exploit this vulnerability, leading to the execution of arbitrary executable on the operating system with SYSTEM privileges.",
"id": "GHSA-m78j-wwfx-36xp",
"modified": "2022-05-24T17:44:30Z",
"published": "2022-05-24T17:44:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21518"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000184012/dsa-2021-052-dell-supportassist-for-home-pcs-business-pcs-security-update-for-pc-doctor-plugin-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M7MQ-GP8M-39MP
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration Manager installer up to and including version 7.21.0078 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.
{
"affected": [],
"aliases": [
"CVE-2020-6788"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T16:15:00Z",
"severity": "HIGH"
},
"details": "Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration Manager installer up to and including version 7.21.0078 potentially allows an attacker to execute arbitrary code on a victim\u0027s system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.",
"id": "GHSA-m7mq-gp8m-39mp",
"modified": "2022-05-24T17:45:21Z",
"published": "2022-05-24T17:45:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6788"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/bosch-sa-835563-bt.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M7P7-GCP5-WR3W
Vulnerability from github – Published: 2026-02-12 06:30 – Updated: 2026-02-12 06:30The installer of M-Track Duo HD version 1.0.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrator privileges.
{
"affected": [],
"aliases": [
"CVE-2026-25676"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T05:17:04Z",
"severity": "HIGH"
},
"details": "The installer of M-Track Duo HD version 1.0.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrator privileges.",
"id": "GHSA-m7p7-gcp5-wr3w",
"modified": "2026-02-12T06:30:13Z",
"published": "2026-02-12T06:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25676"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN88690363"
},
{
"type": "WEB",
"url": "https://www.m-audio.com/audio-midi-interfaces/m-track-duo-hd.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M892-QJXF-RM97
Vulnerability from github – Published: 2023-06-04 00:30 – Updated: 2023-06-04 00:30** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Captura up to 8.0.0. It has been declared as critical. This vulnerability affects unknown code in the library CRYPTBASE.dll. The manipulation leads to uncontrolled search path. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitation appears to be difficult. The identifier of this vulnerability is VDB-230668. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2023-3091"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-04T00:15:09Z",
"severity": "HIGH"
},
"details": "** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Captura up to 8.0.0. It has been declared as critical. This vulnerability affects unknown code in the library CRYPTBASE.dll. The manipulation leads to uncontrolled search path. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitation appears to be difficult. The identifier of this vulnerability is VDB-230668. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-m892-qjxf-rm97",
"modified": "2023-06-04T00:30:19Z",
"published": "2023-06-04T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3091"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.230668"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.230668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M898-H4PM-PQFR
Vulnerability from github – Published: 2021-05-25 18:44 – Updated: 2025-05-19 16:35Impact
The go language recently addressed a security issue in the way that binaries are found before being executed. Some operating systems like Windows persist to have the current directory being part of the default search path, and having priority over the system-wide path.
This means that it's possible for a malicious user to craft for example a git.bat command, commit it and push it in a repository. Later when git-bug search for the git binary, this malicious executable can take priority and be executed.
Who is impacted
This issue happen on Windows and some other operating systems with a badly configured PATH.
All version prior to 0.7.2 are vulnerable to this issue.
Patches
Version 0.7.2 fix this issue. Users should update as soon as possible.
References
More details about this issue can be found here.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/MichaelMure/git-bug"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28955"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T21:22:50Z",
"nvd_published_at": "2021-03-22T07:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe go language recently addressed a security issue in the way that binaries are found before being executed. Some operating systems like Windows persist to have the current directory being part of the default search path, and having priority over the system-wide path.\n\nThis means that it\u0027s possible for a malicious user to craft for example a `git.bat` command, commit it and push it in a repository. Later when git-bug search for the git binary, this malicious executable can take priority and be executed.\n\n### Who is impacted\n\nThis issue happen on Windows and some other operating systems with a badly configured PATH.\n\nAll version prior to 0.7.2 are vulnerable to this issue.\n\n### Patches\n\nVersion 0.7.2 fix this issue. Users should update as soon as possible.\n\n### References\n\nMore details about this issue can be found [here](https://blog.golang.org/path-security).",
"id": "GHSA-m898-h4pm-pqfr",
"modified": "2025-05-19T16:35:59Z",
"published": "2021-05-25T18:44:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/git-bug/git-bug/security/advisories/GHSA-m898-h4pm-pqfr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28955"
},
{
"type": "WEB",
"url": "https://github.com/MichaelMure/git-bug/pull/604"
},
{
"type": "PACKAGE",
"url": "https://github.com/git-bug/git-bug"
},
{
"type": "WEB",
"url": "https://vuln.ryotak.me/advisories/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary code execution due to an uncontrolled search path for the git binary"
}
GHSA-M89Q-5H24-2XM5
Vulnerability from github – Published: 2024-01-12 09:30 – Updated: 2024-01-12 09:30Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows local user to escalate privileges
{
"affected": [],
"aliases": [
"CVE-2023-6740"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T08:15:43Z",
"severity": "HIGH"
},
"details": "Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows local user to escalate privileges",
"id": "GHSA-m89q-5h24-2xm5",
"modified": "2024-01-12T09:30:29Z",
"published": "2024-01-12T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6740"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16163"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Strategy: Attack Surface Reduction
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Strategy: Attack Surface Reduction
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.