CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-67MF-8W9H-JP3C
Vulnerability from github – Published: 2026-02-06 18:30 – Updated: 2026-02-06 18:30Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service's execution context.
{
"affected": [],
"aliases": [
"CVE-2019-25266"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-06T17:16:10Z",
"severity": "HIGH"
},
"details": "Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service\u0027s execution context.",
"id": "GHSA-67mf-8w9h-jp3c",
"modified": "2026-02-06T18:30:31Z",
"published": "2026-02-06T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25266"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47617"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wondershare-application-framework-service-wsappservice-unquote-service-path"
},
{
"type": "WEB",
"url": "https://www.wondershare.com"
},
{
"type": "WEB",
"url": "https://www.wondershare.com/drfone"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-695Q-XR4M-VPV8
Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot.
{
"affected": [],
"aliases": [
"CVE-2019-25283"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T00:15:52Z",
"severity": "HIGH"
},
"details": "Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot.",
"id": "GHSA-695q-xr4m-vpv8",
"modified": "2026-02-05T00:31:01Z",
"published": "2026-02-05T00:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25283"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47660"
},
{
"type": "WEB",
"url": "https://www.shrew.net"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/shrew-soft-vpn-client-iked-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-69GP-4M7W-MHFG
Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
{
"affected": [],
"aliases": [
"CVE-2021-47832"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T19:16:08Z",
"severity": "HIGH"
},
"details": "Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.",
"id": "GHSA-69gp-4m7w-mhfg",
"modified": "2026-01-16T21:30:36Z",
"published": "2026-01-16T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47832"
},
{
"type": "WEB",
"url": "https://github.com/sandboxie-plus/Sandboxie"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49842"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sandboxie-plus-sbiesvc-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6F3C-6H7Q-9V52
Vulnerability from github – Published: 2023-04-11 09:30 – Updated: 2024-04-04 03:24WAB-MAT Ver.5.0.0.8 and earlier starts another program with an unquoted file path. Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.
{
"affected": [],
"aliases": [
"CVE-2023-22282"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T09:15:00Z",
"severity": "HIGH"
},
"details": "WAB-MAT Ver.5.0.0.8 and earlier starts another program with an unquoted file path. Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.",
"id": "GHSA-6f3c-6h7q-9v52",
"modified": "2024-04-04T03:24:04Z",
"published": "2023-04-11T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22282"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN35246979"
},
{
"type": "WEB",
"url": "https://www.elecom.co.jp/news/security/20230324-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6FGV-P835-W43W
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-22 00:00In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability.
{
"affected": [],
"aliases": [
"CVE-2022-35292"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-13T16:15:00Z",
"severity": "HIGH"
},
"details": "In SAP Business One application when a service is created, the executable path contains spaces and isn\u2019t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability.",
"id": "GHSA-6fgv-p835-w43w",
"modified": "2022-09-22T00:00:24Z",
"published": "2022-09-14T00:00:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cla-assistant/cla-assistant/security/advisories/GHSA-jjjv-grgr-v8h3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35292"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3223392"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6FWV-WGRV-C6GJ
Vulnerability from github – Published: 2022-05-17 01:07 – Updated: 2022-05-17 01:07An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.
{
"affected": [],
"aliases": [
"CVE-2017-3757"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-29T01:35:00Z",
"severity": "HIGH"
},
"details": "An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.",
"id": "GHSA-6fwv-wgrv-c6gj",
"modified": "2022-05-17T01:07:50Z",
"published": "2022-05-17T01:07:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3757"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-14390"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6H24-XX5G-P323
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-05-17 00:26Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploitable via a Trojan horse Nero.exe file in the %PROGRAMFILES(x86)%\Nero directory.
{
"affected": [],
"aliases": [
"CVE-2017-15383"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-16T17:29:00Z",
"severity": "HIGH"
},
"details": "Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploitable via a Trojan horse Nero.exe file in the %PROGRAMFILES(x86)%\\Nero directory.",
"id": "GHSA-6h24-xx5g-p323",
"modified": "2022-05-17T00:26:05Z",
"published": "2022-05-17T00:26:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15383"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2016110092"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/139658/Nero-7.10.1.0-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6H85-5GXW-42H9
Vulnerability from github – Published: 2024-04-23 15:30 – Updated: 2024-07-03 18:36An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.
{
"affected": [],
"aliases": [
"CVE-2024-31804"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-23T15:15:49Z",
"severity": "LOW"
},
"details": "An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.",
"id": "GHSA-6h85-5gxw-42h9",
"modified": "2024-07-03T18:36:39Z",
"published": "2024-04-23T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31804"
},
{
"type": "WEB",
"url": "https://medium.com/%40kobbycyber/terratec-dmx-6fire-usb-unquoted-service-path-cve-2024-31804-70cced459202"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51977"
},
{
"type": "WEB",
"url": "https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6HQW-7984-94R6
Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2022-07-29 00:00There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\ASUS\GameSDK.exe file.
{
"affected": [],
"aliases": [
"CVE-2022-35899"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-21T17:15:00Z",
"severity": "HIGH"
},
"details": "There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\\ASUS\\GameSDK.exe file.",
"id": "GHSA-6hqw-7984-94r6",
"modified": "2022-07-29T00:00:27Z",
"published": "2022-07-22T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35899"
},
{
"type": "WEB",
"url": "https://ASUSTeK.com"
},
{
"type": "WEB",
"url": "https://github.com/AngeloPioAmirante/CVE-2022-35899"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/167763/Asus-GameSDK-1.0.0.4-Unquoted-Service-Path.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HRV-VGX8-Q9XM
Vulnerability from github – Published: 2026-02-01 15:32 – Updated: 2026-02-01 15:32TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
{
"affected": [],
"aliases": [
"CVE-2020-37063"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-01T15:16:04Z",
"severity": "HIGH"
},
"details": "TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.",
"id": "GHSA-6hrv-vgx8-q9xm",
"modified": "2026-02-01T15:32:31Z",
"published": "2026-02-01T15:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37063"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48085"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tftp-turbo-tftp-turbo-unquoted-service-path"
},
{
"type": "WEB",
"url": "https://www.weird-solutions.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.