CWE-427
Allowed-with-ReviewUncontrolled Search Path Element
Abstraction: Base · Status: Draft
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
1782 vulnerabilities reference this CWE, most recent first.
GHSA-RJ9R-9HQF-9323
Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-09 00:00Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vulnerable to a DLL hijacking condition. When combined with the Incorrect Default Permissions vulnerability of 4.2.2 above, this makes it possible for an attacker to escalate privileges
{
"affected": [],
"aliases": [
"CVE-2022-1098"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "HIGH"
},
"details": "Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vulnerable to a DLL hijacking condition. When combined with the Incorrect Default Permissions vulnerability of 4.2.2 above, this makes it possible for an attacker to escalate privileges",
"id": "GHSA-rj9r-9hqf-9323",
"modified": "2022-04-09T00:00:39Z",
"published": "2022-04-03T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1098"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RJJM-WQ7G-6HF4
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-28 00:00This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The service executes files from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16137.
{
"affected": [],
"aliases": [
"CVE-2022-34901"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T15:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The service executes files from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16137.",
"id": "GHSA-rjjm-wq7g-6hf4",
"modified": "2022-07-28T00:00:43Z",
"published": "2022-07-19T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34901"
},
{
"type": "WEB",
"url": "https://kb.parallels.com/en/129010"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RM22-8C83-9F9J
Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-17 15:30Uncontrolled search path element in the Intel(R) Glorp software may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-30548"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled search path element in the Intel(R) Glorp software may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-rm22-8c83-9f9j",
"modified": "2022-11-17T15:30:21Z",
"published": "2022-11-11T19:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30548"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00673.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RM3X-2J5X-PP4W
Vulnerability from github – Published: 2025-04-09 21:31 – Updated: 2025-04-09 21:31There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW. This vulnerability may result in arbitrary code execution. Successful exploitation requires an attacker to insert a malicious DLL into the uncontrolled search path. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2025-2630"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T19:15:48Z",
"severity": "HIGH"
},
"details": "There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW. This vulnerability may result in arbitrary code execution. Successful exploitation requires an attacker to insert a malicious DLL into the uncontrolled search path. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions.",
"id": "GHSA-rm3x-2j5x-pp4w",
"modified": "2025-04-09T21:31:42Z",
"published": "2025-04-09T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2630"
},
{
"type": "WEB",
"url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/dll-hijacking-vulnerability-in-ni-labview.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RPGW-5PXP-R3MM
Vulnerability from github – Published: 2023-03-13 15:30 – Updated: 2023-03-22 21:30McAfee Total Protection prior to 16.0.49 allows attackers to elevate user privileges due to DLL sideloading. This could enable a user with lower privileges to execute unauthorized tasks.
{
"affected": [],
"aliases": [
"CVE-2023-24578"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-13T13:15:00Z",
"severity": "MODERATE"
},
"details": "McAfee Total Protection prior to 16.0.49 allows attackers to elevate user privileges due to DLL sideloading. This could enable a user with lower privileges to execute unauthorized tasks.",
"id": "GHSA-rpgw-5pxp-r3mm",
"modified": "2023-03-22T21:30:17Z",
"published": "2023-03-13T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24578"
},
{
"type": "WEB",
"url": "https://www.mcafee.com/en-us/consumer-corporate/mcafee-labs/product-security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.mcafee.com/support/?articleId=TS103397\u0026page=shell\u0026shell=article-view"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPMW-WX66-8J32
Vulnerability from github – Published: 2026-03-04 15:30 – Updated: 2026-03-04 15:30Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an uncontrolled search path element vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, elevation of privileges, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-22270"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T13:15:57Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an uncontrolled search path element vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, elevation of privileges, and information disclosure.",
"id": "GHSA-rpmw-wx66-8j32",
"modified": "2026-03-04T15:30:35Z",
"published": "2026-03-04T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22270"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RQX6-XFGJ-645G
Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-43751"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:15:56Z",
"severity": "MODERATE"
},
"details": "Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-rqx6-xfgj-645g",
"modified": "2024-05-16T21:32:00Z",
"published": "2024-05-16T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43751"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00937.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RRMC-V4R3-Q6V9
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A DLL search path vulnerability was reported in the Lenovo HardwareScan Plugin for the Lenovo Vantage hardware scan feature prior to version 1.0.46.11 that could allow escalation of privilege.
{
"affected": [],
"aliases": [
"CVE-2020-8345"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-14T22:15:00Z",
"severity": "HIGH"
},
"details": "A DLL search path vulnerability was reported in the Lenovo HardwareScan Plugin for the Lenovo Vantage hardware scan feature prior to version 1.0.46.11 that could allow escalation of privilege.",
"id": "GHSA-rrmc-v4r3-q6v9",
"modified": "2022-05-24T17:30:48Z",
"published": "2022-05-24T17:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8345"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-44421"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RRR2-5HQC-JH43
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).
{
"affected": [],
"aliases": [
"CVE-2021-3613"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T13:15:00Z",
"severity": "HIGH"
},
"details": "OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).",
"id": "GHSA-rrr2-5hqc-jh43",
"modified": "2022-05-24T19:06:53Z",
"published": "2022-05-24T19:06:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3613"
},
{
"type": "WEB",
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RV69-975F-QP5X
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05Untrusted search path vulnerability in The installer of Windows 10 Fall Creators Update Modify module for Security Measures tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2018-16177"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-09T23:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in The installer of Windows 10 Fall Creators Update Modify module for Security Measures tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-rv69-975f-qp5x",
"modified": "2022-05-13T01:05:38Z",
"published": "2022-05-13T01:05:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16177"
},
{
"type": "WEB",
"url": "https://f-security.jp/v6/support/information/100193.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN15709478/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Strategy: Attack Surface Reduction
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Strategy: Attack Surface Reduction
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.