CWE-427
Allowed-with-ReviewUncontrolled Search Path Element
Abstraction: Base · Status: Draft
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
1784 vulnerabilities reference this CWE, most recent first.
GHSA-QPQ4-373M-Q6X8
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulnerability due to default and insecure permissions being set for the installation folder. By default, the Authenticated Users group has Modify permissions to the installation folder. Because of this, any user on the system can replace binaries or plant malicious DLLs to obtain elevated, or different, privileges, depending on the context of the user that runs the application.
{
"affected": [],
"aliases": [
"CVE-2020-11613"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "Mids\u0027 Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulnerability due to default and insecure permissions being set for the installation folder. By default, the Authenticated Users group has Modify permissions to the installation folder. Because of this, any user on the system can replace binaries or plant malicious DLLs to obtain elevated, or different, privileges, depending on the context of the user that runs the application.",
"id": "GHSA-qpq4-373m-q6x8",
"modified": "2022-05-24T17:20:19Z",
"published": "2022-05-24T17:20:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11613"
},
{
"type": "WEB",
"url": "https://github.com/Crytilis/mids-reborn-hero-designer/releases"
},
{
"type": "WEB",
"url": "https://www.doyler.net/security-not-included/mids-reborn-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QRHF-Q88M-C43R
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39Untrusted search path vulnerability in the installer of SKYSEA Client View Ver.1.020.05b to Ver.16.001.01g allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2021-20616"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T10:15:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in the installer of SKYSEA Client View Ver.1.020.05b to Ver.16.001.01g allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-qrhf-q88m-c43r",
"modified": "2022-05-24T17:39:12Z",
"published": "2022-05-24T17:39:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20616"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN69635538/index.html"
},
{
"type": "WEB",
"url": "https://www.skyseaclientview.net/news/210112_01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRQ7-92H2-M9MX
Vulnerability from github – Published: 2025-10-09 15:31 – Updated: 2025-12-04 21:31Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL).
{
"affected": [],
"aliases": [
"CVE-2025-32919"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-09T15:16:06Z",
"severity": "HIGH"
},
"details": "Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL).",
"id": "GHSA-qrq7-92h2-m9mx",
"modified": "2025-12-04T21:31:01Z",
"published": "2025-10-09T15:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32919"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/18207"
},
{
"type": "WEB",
"url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250724-01_Checkmk_Agent_Privilege_Escalation_via_Insecure_Temporary_Files"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Oct/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QV4R-H8VJ-9F9C
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-30182"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T17:15:46Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
"id": "GHSA-qv4r-h8vj-9f9c",
"modified": "2025-11-11T18:30:18Z",
"published": "2025-11-11T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30182"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01382.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QWWQ-984W-2342
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 152081.
{
"affected": [],
"aliases": [
"CVE-2018-1890"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-11T22:29:00Z",
"severity": "HIGH"
},
"details": "IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 152081.",
"id": "GHSA-qwwq-984w-2342",
"modified": "2022-05-13T01:32:32Z",
"published": "2022-05-13T01:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1890"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/152081"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10873042"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10873332"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10874750"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107448"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX9X-5RRJ-5599
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Uncontrolled search path for some Intel Driver and Support Assistant before version 25.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-30506"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T17:15:47Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path for some Intel Driver and Support Assistant before version 25.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
"id": "GHSA-qx9x-5rrj-5599",
"modified": "2025-11-11T18:30:19Z",
"published": "2025-11-11T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30506"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01361.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QXCQ-VFXX-5HXP
Vulnerability from github – Published: 2023-06-23 21:30 – Updated: 2024-04-04 05:08A maliciously crafted DLL file can be forced to write beyond allocated boundaries in the Autodesk installer when parsing the DLL files and could lead to a Privilege Escalation vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-27908"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T20:15:08Z",
"severity": "HIGH"
},
"details": "A maliciously crafted DLL file can be forced to write beyond allocated boundaries in the Autodesk installer when parsing the DLL files and could lead to a Privilege Escalation vulnerability.",
"id": "GHSA-qxcq-vfxx-5hxp",
"modified": "2024-04-04T05:08:41Z",
"published": "2023-06-23T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27908"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QXM5-VX5J-PP6W
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2024-10-23 18:48In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "snapcraft"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-27348"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:57:14Z",
"nvd_published_at": "2020-12-04T03:15:00Z",
"severity": "MODERATE"
},
"details": "In some conditions, a snap package built by snapcraft includes the current directory in `LD_LIBRARY_PATH`, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.",
"id": "GHSA-qxm5-vx5j-pp6w",
"modified": "2024-10-23T18:48:17Z",
"published": "2022-05-24T17:35:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27348"
},
{
"type": "WEB",
"url": "https://github.com/snapcore/snapcraft/pull/3345"
},
{
"type": "WEB",
"url": "https://github.com/snapcore/snapcraft/commit/a0ceca9d531a34c979251030ed67b5fa2abfdd9a"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/bugs/1901572"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/snapcraft/PYSEC-2020-109.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/snapcore/snapcraft"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/usn/usn-4661-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "snapcraft Access Restriction Bypass"
}
GHSA-QXQ5-P7H4-X2VW
Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-09-07 00:01AutomationDirect DirectLOGIC has a DLL vulnerability in the install directory that may allow an attacker to execute code during the installation process. This issue affects: AutomationDirect C-more EA9 EA9-T6CL versions prior to 6.73; EA9-T6CL-R versions prior to 6.73; EA9-T7CL versions prior to 6.73; EA9-T7CL-R versions prior to 6.73; EA9-T8CL versions prior to 6.73; EA9-T10CL versions prior to 6.73; EA9-T10WCL versions prior to 6.73; EA9-T12CL versions prior to 6.73; EA9-T15CL versions prior to 6.73; EA9-RHMI versions prior to 6.73; EA9-PGMSW versions prior to 6.73;
{
"affected": [],
"aliases": [
"CVE-2022-2006"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-31T16:15:00Z",
"severity": "HIGH"
},
"details": "AutomationDirect DirectLOGIC has a DLL vulnerability in the install directory that may allow an attacker to execute code during the installation process. This issue affects: AutomationDirect C-more EA9 EA9-T6CL versions prior to 6.73; EA9-T6CL-R versions prior to 6.73; EA9-T7CL versions prior to 6.73; EA9-T7CL-R versions prior to 6.73; EA9-T8CL versions prior to 6.73; EA9-T10CL versions prior to 6.73; EA9-T10WCL versions prior to 6.73; EA9-T12CL versions prior to 6.73; EA9-T15CL versions prior to 6.73; EA9-RHMI versions prior to 6.73; EA9-PGMSW versions prior to 6.73;",
"id": "GHSA-qxq5-p7h4-x2vw",
"modified": "2022-09-07T00:01:49Z",
"published": "2022-09-01T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2006"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QXWF-3XFR-GCP8
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Uncontrolled Search Path Element vulnerability. An attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user via DLL hijacking. Exploitation of this issue requires user interaction.
{
"affected": [],
"aliases": [
"CVE-2021-35982"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-29T16:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Uncontrolled Search Path Element vulnerability. An attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user via DLL hijacking. Exploitation of this issue requires user interaction.",
"id": "GHSA-qxwf-3xfr-gcp8",
"modified": "2022-05-24T19:16:07Z",
"published": "2022-05-24T19:16:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35982"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Strategy: Attack Surface Reduction
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Strategy: Attack Surface Reduction
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.