CWE-427
Allowed-with-ReviewUncontrolled Search Path Element
Abstraction: Base · Status: Draft
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
1782 vulnerabilities reference this CWE, most recent first.
CVE-2026-5064 (GCVE-0-2026-5064)
Vulnerability from cvelistv5 – Published: 2026-06-15 21:23 – Updated: 2026-06-18 03:55- CWE-427 - Uncontrolled Search Path Element
| Vendor | Product | Version | |
|---|---|---|---|
| HP Inc. | HP One Agent Software |
Affected:
0 , < 1.3.214.7339
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:55:43.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"Windows"
],
"product": "HP One Agent Software",
"vendor": "HP Inc.",
"versions": [
{
"lessThan": "1.3.214.7339",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hp_inc.:hp_one_agent_software:*:*:windows:*:*:*:*:*",
"versionEndExcluding": "1.3.214.7339",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Potential security vulnerabilities have been identified in the HP One \nAgent for certain HP PC products, which might allow\n for escalation of privilege and/or denial of service. HP \nis releasing software updates to mitigate these potential \nvulnerabilities."
}
],
"value": "Potential security vulnerabilities have been identified in the HP One \nAgent for certain HP PC products, which might allow\n for escalation of privilege and/or denial of service. HP \nis releasing software updates to mitigate these potential \nvulnerabilities."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T21:23:01.045Z",
"orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2",
"shortName": "hp"
},
"references": [
{
"url": "https://support.hp.com/us-en/document/ish_15146555-15146580-16/hpsbhf04060"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HP One Agent Software \u2013 Security Update",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2",
"assignerShortName": "hp",
"cveId": "CVE-2026-5064",
"datePublished": "2026-06-15T21:23:01.045Z",
"dateReserved": "2026-03-27T20:50:13.974Z",
"dateUpdated": "2026-06-18T03:55:43.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5055 (GCVE-0-2026-5055)
Vulnerability from cvelistv5 – Published: 2026-04-11 00:14 – Updated: 2026-04-14 03:55- CWE-427 - Uncontrolled Search Path Element
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T03:55:48.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "NoMachine",
"vendor": "NoMachine",
"versions": [
{
"status": "affected",
"version": "9.2.18_1"
}
]
}
],
"dateAssigned": "2026-03-27T18:06:08.850Z",
"datePublic": "2026-03-30T19:45:53.272Z",
"descriptions": [
{
"lang": "en",
"value": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the NoMachine Device Server. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-28494."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T00:14:25.877Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-26-249",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-249/"
}
],
"source": {
"lang": "en",
"value": "khongtrang"
},
"title": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2026-5055",
"datePublished": "2026-04-11T00:14:25.877Z",
"dateReserved": "2026-03-27T18:06:08.827Z",
"dateUpdated": "2026-04-14T03:55:48.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4962 (GCVE-0-2026-4962)
Vulnerability from cvelistv5 – Published: 2026-03-27 17:05 – Updated: 2026-03-27 22:07 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/?id.353839 | vdb-entry |
| https://vuldb.com/?ctiid.353839 | signaturepermissions-required |
| https://vuldb.com/?submit.777619 | third-party-advisory |
| https://drive.google.com/file/d/1QC-MrqGsfjr4phEN… | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4962",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T17:42:52.602261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T17:43:07.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ultravnc:ultravnc:*:*:*:*:*:*:*:*"
],
"modules": [
"Service"
],
"product": "UltraVNC",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.6.0"
},
{
"status": "affected",
"version": "1.6.1"
},
{
"status": "affected",
"version": "1.6.2"
},
{
"status": "affected",
"version": "1.6.3"
},
{
"status": "affected",
"version": "1.6.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "haehanse (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs to be approached locally. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6,
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T22:07:28.414Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-353839 | UltraVNC Service version.dll uncontrolled search path",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.353839"
},
{
"name": "VDB-353839 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.353839"
},
{
"name": "Submit #777619 | UltraVNC 1.6.4.0 Uncontrolled Search Path-Privilege escalation with version.dll",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.777619"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1QC-MrqGsfjr4phEN77krLFZHQN8S48U_/view"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-27T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-27T09:18:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "UltraVNC Service version.dll uncontrolled search path"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4962",
"datePublished": "2026-03-27T17:05:16.691Z",
"dateReserved": "2026-03-27T08:13:02.541Z",
"dateUpdated": "2026-03-27T22:07:28.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4546 (GCVE-0-2026-4546)
Vulnerability from cvelistv5 – Published: 2026-03-22 13:02 – Updated: 2026-03-23 16:39| URL | Tags |
|---|---|
| https://vuldb.com/?id.352373 | vdb-entry |
| https://vuldb.com/?ctiid.352373 | signaturepermissions-required |
| https://vuldb.com/?submit.774778 | third-party-advisory |
| https://drive.google.com/file/d/1w5-ztNIN28mPuidt… | related |
| Vendor | Product | Version | |
|---|---|---|---|
| Flos Freeware | Notepad2 |
Affected:
4.2.25
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T16:15:15.911646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T16:39:39.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notepad2",
"vendor": "Flos Freeware",
"versions": [
{
"status": "affected",
"version": "4.2.25"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "haehanse (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Flos Freeware Notepad2 4.2.25. This impacts an unknown function in the library TextShaping.dll. Executing a manipulation can lead to uncontrolled search path. The attack is restricted to local execution. The attack requires a high level of complexity. The exploitability is said to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6,
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-22T13:02:40.125Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352373 | Flos Freeware Notepad2 TextShaping.dll uncontrolled search path",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.352373"
},
{
"name": "VDB-352373 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352373"
},
{
"name": "Submit #774778 | Flos Freeware Notepad2 4.2.25 Uncontrolled Search Path - DLL Hijacking with TextShaping.dll",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.774778"
},
{
"tags": [
"related"
],
"url": "https://drive.google.com/file/d/1w5-ztNIN28mPuidtjlsilKsKKQQNOiIJ/view"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-21T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-21T17:49:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flos Freeware Notepad2 TextShaping.dll uncontrolled search path"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4546",
"datePublished": "2026-03-22T13:02:40.125Z",
"dateReserved": "2026-03-21T16:44:04.131Z",
"dateUpdated": "2026-03-23T16:39:39.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4545 (GCVE-0-2026-4545)
Vulnerability from cvelistv5 – Published: 2026-03-22 11:20 – Updated: 2026-03-24 14:34| URL | Tags |
|---|---|
| https://vuldb.com/?id.352372 | vdb-entry |
| https://vuldb.com/?ctiid.352372 | signaturepermissions-required |
| https://vuldb.com/?submit.774752 | third-party-advisory |
| https://drive.google.com/file/d/1o3A3x47B2gi645H0… | related |
| Vendor | Product | Version | |
|---|---|---|---|
| Flos Freeware | Notepad2 |
Affected:
4.2.25
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:34:07.223451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:34:17.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notepad2",
"vendor": "Flos Freeware",
"versions": [
{
"status": "affected",
"version": "4.2.25"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "haehanse (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in uncontrolled search path. The attack is only possible with local access. The attack is considered to have high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6,
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-22T11:20:57.774Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352372 | Flos Freeware Notepad2 PROPSYS.dll uncontrolled search path",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.352372"
},
{
"name": "VDB-352372 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352372"
},
{
"name": "Submit #774752 | Flos Freeware Notepad2 4.2.25 Uncontrolled Search Path",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.774752"
},
{
"tags": [
"related"
],
"url": "https://drive.google.com/file/d/1o3A3x47B2gi645H02-28qgoIgGN-g6rK/view"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-21T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-21T17:49:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flos Freeware Notepad2 PROPSYS.dll uncontrolled search path"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4545",
"datePublished": "2026-03-22T11:20:57.774Z",
"dateReserved": "2026-03-21T16:44:00.664Z",
"dateUpdated": "2026-03-24T14:34:17.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4158 (GCVE-0-2026-4158)
Vulnerability from cvelistv5 – Published: 2026-04-11 00:17 – Updated: 2026-04-13 17:40- CWE-427 - Uncontrolled Search Path Element
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://github.com/keepassxreboot/keepassxc/secur… | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4158",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:39:53.737910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:40:04.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "KeePassXC",
"vendor": "KeePassXC",
"versions": [
{
"status": "affected",
"version": "2.7.11"
}
]
}
],
"dateAssigned": "2026-03-13T20:35:42.731Z",
"datePublic": "2026-03-16T21:39:32.593Z",
"descriptions": [
{
"lang": "en",
"value": "KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of OpenSSL. The product loads configuration from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of KeePassXC when run by a target user on the system. Was ZDI-CAN-29156."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T00:17:00.676Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-26-215",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-215/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/keepassxreboot/keepassxc/security/advisories/GHSA-4gr2-cr97-q9fx"
}
],
"source": {
"lang": "en",
"value": "Xavier DANEST"
},
"title": "KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2026-4158",
"datePublished": "2026-04-11T00:17:00.676Z",
"dateReserved": "2026-03-13T20:35:42.678Z",
"dateUpdated": "2026-04-13T17:40:04.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4134 (GCVE-0-2026-4134)
Vulnerability from cvelistv5 – Published: 2026-04-15 12:28 – Updated: 2026-04-15 13:08- CWE-427 - Uncontrolled Search Path Element
| Vendor | Product | Version | |
|---|---|---|---|
| Lenovo | Software Fix |
Affected:
0 , < 7.5.5.19
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T13:05:56.581633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:08:19.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Software Fix",
"vendor": "Lenovo",
"versions": [
{
"lessThan": "7.5.5.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lenovo:software_fix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.5.5.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.\u003cbr\u003e"
}
],
"value": "During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T12:28:05.838Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"url": "https://support.lenovo.com/us/en/product_security/LEN-213829"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Lenovo Software Fix to version 7.5.5.19 or later.\u003cbr\u003e"
}
],
"value": "Update Lenovo Software Fix to version 7.5.5.19 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.3.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2026-4134",
"datePublished": "2026-04-15T12:28:05.838Z",
"dateReserved": "2026-03-13T14:48:30.665Z",
"dateUpdated": "2026-04-15T13:08:19.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3787 (GCVE-0-2026-3787)
Vulnerability from cvelistv5 – Published: 2026-03-08 23:02 – Updated: 2026-03-10 20:26 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/?id.349754 | vdb-entry |
| https://vuldb.com/?ctiid.349754 | signaturepermissions-required |
| https://vuldb.com/?submit.767257 | third-party-advisory |
| https://drive.google.com/file/d/14ixv_1i4D2VrZWyl… | related |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T20:25:13.729869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T20:26:30.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ultravnc:ultravnc:*:*:*:*:*:*:*:*"
],
"modules": [
"Windows Service"
],
"product": "UltraVNC",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.6.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "haehanse (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in UltraVNC 1.6.4.0 on Windows. This affects an unknown function in the library cryptbase.dll of the component Windows Service. This manipulation causes uncontrolled search path. The attack requires local access. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6,
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T23:02:06.940Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-349754 | UltraVNC Windows Service cryptbase.dll uncontrolled search path",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.349754"
},
{
"name": "VDB-349754 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.349754"
},
{
"name": "Submit #767257 | UltraVNC 1.6.4.0 Uncontrolled Search Path",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.767257"
},
{
"tags": [
"related"
],
"url": "https://drive.google.com/file/d/14ixv_1i4D2VrZWyl4RKsvFcN1AMF_qNx/view"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-08T08:16:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "UltraVNC Windows Service cryptbase.dll uncontrolled search path"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3787",
"datePublished": "2026-03-08T23:02:06.940Z",
"dateReserved": "2026-03-08T07:11:28.250Z",
"dateUpdated": "2026-03-10T20:26:30.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3775 (GCVE-0-2026-3775)
Vulnerability from cvelistv5 – Published: 2026-04-01 01:40 – Updated: 2026-04-02 02:11- CWE-427 - DLL Hijacking
| Vendor | Product | Version | |
|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor |
Affected:
Versions 2025.3 and earlier
|
|
| Foxit Software Inc. | Foxit PDF Reader |
Affected:
Versions 2025.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:16:37.847431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:50:46.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Editor",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2025.3 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Reader",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2025.3 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erik Egsgard of Field Effect working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application\u0027s update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution."
}
],
"value": "The application\u0027s update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary code execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: DLL Hijacking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T02:11:52.749Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit PDF Editor/Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2026-3775",
"datePublished": "2026-04-01T01:40:36.975Z",
"dateReserved": "2026-03-08T03:42:27.208Z",
"dateUpdated": "2026-04-02T02:11:52.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3091 (GCVE-0-2026-3091)
Vulnerability from cvelistv5 – Published: 2026-02-24 02:31 – Updated: 2026-06-02 08:32- CWE-427 - Uncontrolled Search Path Element
| URL | Tags |
|---|---|
| https://www.synology.com/en-global/security/advis… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Synology | Synology Presto Client |
Affected:
* , < 2.1.3-0672
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T20:48:28.071520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T20:48:54.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Synology Presto Client",
"vendor": "Synology",
"versions": [
{
"lessThan": "2.1.3-0672",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sahil Shah"
}
],
"descriptions": [
{
"lang": "en",
"value": "An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files and conduct denial-of-service during installation by placing a malicious DLL in advance in the same directory as the installer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T08:32:30.493Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-26:02 Synology Presto Client",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_02"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2026-3091",
"datePublished": "2026-02-24T02:31:20.298Z",
"dateReserved": "2026-02-24T01:34:19.753Z",
"dateUpdated": "2026-06-02T08:32:30.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Strategy: Attack Surface Reduction
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Strategy: Attack Surface Reduction
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.