CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
895 vulnerabilities reference this CWE, most recent first.
GHSA-5RVW-257C-FPQ2
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.
{
"affected": [],
"aliases": [
"CVE-2020-6014"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-02T21:15:00Z",
"severity": "MODERATE"
},
"details": "Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.",
"id": "GHSA-5rvw-257c-fpq2",
"modified": "2022-05-24T17:33:04Z",
"published": "2022-05-24T17:33:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6014"
},
{
"type": "WEB",
"url": "https://supportcontent.checkpoint.com/solutions?id=sk168081"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5V9P-R9HP-37JV
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:08Symantec Endpoint Protection Manager (SEPM) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead.
{
"affected": [],
"aliases": [
"CVE-2018-18367"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-25T20:29:00Z",
"severity": "HIGH"
},
"details": "Symantec Endpoint Protection Manager (SEPM) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead.",
"id": "GHSA-5v9p-r9hp-37jv",
"modified": "2024-04-04T00:08:51Z",
"published": "2022-05-24T16:44:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18367"
},
{
"type": "WEB",
"url": "https://support.symantec.com/en_US/article.SYMSA1479.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107996"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VWH-R8F6-4W5C
Vulnerability from github – Published: 2024-03-12 18:31 – Updated: 2024-03-12 18:31Microsoft Exchange Server Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26198"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T17:15:58Z",
"severity": "HIGH"
},
"details": "Microsoft Exchange Server Remote Code Execution Vulnerability",
"id": "GHSA-5vwh-r8f6-4w5c",
"modified": "2024-03-12T18:31:14Z",
"published": "2024-03-12T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26198"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5W6R-H2M8-3MXG
Vulnerability from github – Published: 2025-05-11 18:30 – Updated: 2025-05-23 18:31A vulnerability was found in MTSoftware C-Lodop 6.6.1.1. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-4540"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-11T16:15:50Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in MTSoftware C-Lodop 6.6.1.1. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.",
"id": "GHSA-5w6r-h2m8-3mxg",
"modified": "2025-05-23T18:31:54Z",
"published": "2025-05-11T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4540"
},
{
"type": "WEB",
"url": "https://0nightsedge0.github.io/2025/05/14/CVE-2025-4540-C-Lodop"
},
{
"type": "WEB",
"url": "https://mega.nz/folder/A5lQQKpL#AF3WPzST3X1Ot6B6fs3bow"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.308285"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.308285"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.566789"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5WWW-969V-2V3G
Vulnerability from github – Published: 2022-05-17 02:28 – Updated: 2022-05-17 02:28Untrusted search path vulnerability in Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.9.0.001.001) [Updated on 2017 June 9], (Ver.8.0.001.001) [Updated on 2016 May 31] and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2188"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-07T13:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.9.0.001.001) [Updated on 2017 June 9], (Ver.8.0.001.001) [Updated on 2016 May 31] and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-5www-969v-2v3g",
"modified": "2022-05-17T02:28:18Z",
"published": "2022-05-17T02:28:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2188"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN65154137/index.html"
},
{
"type": "WEB",
"url": "http://www.maff.go.jp/j/nousin/seko/nouhin_youryou/densi.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62M8-JX79-7C6Q
Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40Untrusted search path vulnerability in the installer of SaAT Personal ver.1.0.10.272 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2207"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-09T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in the installer of SaAT Personal ver.1.0.10.272 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-62m8-jx79-7c6q",
"modified": "2022-05-17T02:40:38Z",
"published": "2022-05-17T02:40:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2207"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN08020381/index.html"
},
{
"type": "WEB",
"url": "https://www.saat.jp/information/personal/2017/0531_security_update_info.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62PF-2C82-X5XC
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Microsoft SharePoint Server Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30100"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:15:59Z",
"severity": "HIGH"
},
"details": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
"id": "GHSA-62pf-2c82-x5xc",
"modified": "2024-06-11T18:30:49Z",
"published": "2024-06-11T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30100"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30100"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62QH-J3W2-PGRJ
Vulnerability from github – Published: 2022-05-14 03:18 – Updated: 2022-05-14 03:18An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-2802"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-24T19:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.",
"id": "GHSA-62qh-j3w2-pgrj",
"modified": "2022-05-14T03:18:33Z",
"published": "2022-05-14T03:18:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2802"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0247"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99360"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6396-M98J-2QHJ
Vulnerability from github – Published: 2025-01-20 03:30 – Updated: 2025-01-20 03:30A vulnerability has been found in obsproject OBS Studio up to 30.0.2 on Windows and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to untrusted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. The vendor disagrees that this issue is "something worth reporting, as every attack surface requires privileged access/user compromise".
{
"affected": [],
"aliases": [
"CVE-2024-13524"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-20T03:15:08Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in obsproject OBS Studio up to 30.0.2 on Windows and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to untrusted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. The vendor disagrees that this issue is \"something worth reporting, as every attack surface requires privileged access/user compromise\".",
"id": "GHSA-6396-m98j-2qhj",
"modified": "2025-01-20T03:30:51Z",
"published": "2025-01-20T03:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13524"
},
{
"type": "WEB",
"url": "https://github.com/obsproject/obs-studio/pull/11569"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.292495"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.292495"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.480875"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-639W-49FR-8W85
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:40Untrusted search path vulnerability in Explzh 5.67 and earlier allows local users to gain privileges via a Trojan horse executable file in the current working directory.
{
"affected": [],
"aliases": [
"CVE-2010-3159"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-10-25T20:01:00Z",
"severity": "MODERATE"
},
"details": "Untrusted search path vulnerability in Explzh 5.67 and earlier allows local users to gain privileges via a Trojan horse executable file in the current working directory.",
"id": "GHSA-639w-49fr-8w85",
"modified": "2025-04-11T03:40:38Z",
"published": "2022-05-13T01:23:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3159"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN85599999/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000043.html"
},
{
"type": "WEB",
"url": "http://www.ponsoftware.com/en"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.