Common Weakness Enumeration

CWE-428

Allowed

Unquoted Search Path or Element

Abstraction: Base · Status: Draft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

761 vulnerabilities reference this CWE, most recent first.

GHSA-67MF-8W9H-JP3C

Vulnerability from github – Published: 2026-02-06 18:30 – Updated: 2026-02-06 18:30
VLAI
Details

Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service's execution context.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-06T17:16:10Z",
    "severity": "HIGH"
  },
  "details": "Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service\u0027s execution context.",
  "id": "GHSA-67mf-8w9h-jp3c",
  "modified": "2026-02-06T18:30:31Z",
  "published": "2026-02-06T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25266"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47617"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wondershare-application-framework-service-wsappservice-unquote-service-path"
    },
    {
      "type": "WEB",
      "url": "https://www.wondershare.com"
    },
    {
      "type": "WEB",
      "url": "https://www.wondershare.com/drfone"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-695Q-XR4M-VPV8

Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31
VLAI
Details

Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T00:15:52Z",
    "severity": "HIGH"
  },
  "details": "Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot.",
  "id": "GHSA-695q-xr4m-vpv8",
  "modified": "2026-02-05T00:31:01Z",
  "published": "2026-02-05T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25283"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47660"
    },
    {
      "type": "WEB",
      "url": "https://www.shrew.net"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/shrew-soft-vpn-client-iked-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-69GP-4M7W-MHFG

Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30
VLAI
Details

Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T19:16:08Z",
    "severity": "HIGH"
  },
  "details": "Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.",
  "id": "GHSA-69gp-4m7w-mhfg",
  "modified": "2026-01-16T21:30:36Z",
  "published": "2026-01-16T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47832"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sandboxie-plus/Sandboxie"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49842"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sandboxie-plus-sbiesvc-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6F3C-6H7Q-9V52

Vulnerability from github – Published: 2023-04-11 09:30 – Updated: 2024-04-04 03:24
VLAI
Details

WAB-MAT Ver.5.0.0.8 and earlier starts another program with an unquoted file path. Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "WAB-MAT Ver.5.0.0.8 and earlier starts another program with an unquoted file path. Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.",
  "id": "GHSA-6f3c-6h7q-9v52",
  "modified": "2024-04-04T03:24:04Z",
  "published": "2023-04-11T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22282"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN35246979"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20230324-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FGV-P835-W43W

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-22 00:00
VLAI
Details

In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In SAP Business One application when a service is created, the executable path contains spaces and isn\u2019t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability.",
  "id": "GHSA-6fgv-p835-w43w",
  "modified": "2022-09-22T00:00:24Z",
  "published": "2022-09-14T00:00:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cla-assistant/cla-assistant/security/advisories/GHSA-jjjv-grgr-v8h3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35292"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3223392"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FWV-WGRV-C6GJ

Vulnerability from github – Published: 2022-05-17 01:07 – Updated: 2022-05-17 01:07
VLAI
Details

An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-29T01:35:00Z",
    "severity": "HIGH"
  },
  "details": "An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.",
  "id": "GHSA-6fwv-wgrv-c6gj",
  "modified": "2022-05-17T01:07:50Z",
  "published": "2022-05-17T01:07:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3757"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-14390"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6H24-XX5G-P323

Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-05-17 00:26
VLAI
Details

Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploitable via a Trojan horse Nero.exe file in the %PROGRAMFILES(x86)%\Nero directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-16T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploitable via a Trojan horse Nero.exe file in the %PROGRAMFILES(x86)%\\Nero directory.",
  "id": "GHSA-6h24-xx5g-p323",
  "modified": "2022-05-17T00:26:05Z",
  "published": "2022-05-17T00:26:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15383"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2016110092"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/139658/Nero-7.10.1.0-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6H85-5GXW-42H9

Vulnerability from github – Published: 2024-04-23 15:30 – Updated: 2024-07-03 18:36
VLAI
Details

An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-23T15:15:49Z",
    "severity": "LOW"
  },
  "details": "An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component.",
  "id": "GHSA-6h85-5gxw-42h9",
  "modified": "2024-07-03T18:36:39Z",
  "published": "2024-04-23T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31804"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40kobbycyber/terratec-dmx-6fire-usb-unquoted-service-path-cve-2024-31804-70cced459202"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51977"
    },
    {
      "type": "WEB",
      "url": "https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HQW-7984-94R6

Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\ASUS\GameSDK.exe file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-21T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\\ASUS\\GameSDK.exe file.",
  "id": "GHSA-6hqw-7984-94r6",
  "modified": "2022-07-29T00:00:27Z",
  "published": "2022-07-22T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35899"
    },
    {
      "type": "WEB",
      "url": "https://ASUSTeK.com"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AngeloPioAmirante/CVE-2022-35899"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/167763/Asus-GameSDK-1.0.0.4-Unquoted-Service-Path.html"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HRV-VGX8-Q9XM

Vulnerability from github – Published: 2026-02-01 15:32 – Updated: 2026-02-01 15:32
VLAI
Details

TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-01T15:16:04Z",
    "severity": "HIGH"
  },
  "details": "TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.",
  "id": "GHSA-6hrv-vgx8-q9xm",
  "modified": "2026-02-01T15:32:31Z",
  "published": "2026-02-01T15:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37063"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48085"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/tftp-turbo-tftp-turbo-unquoted-service-path"
    },
    {
      "type": "WEB",
      "url": "https://www.weird-solutions.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Properly quote the full search path before executing a program on the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.