Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

895 vulnerabilities reference this CWE, most recent first.

GHSA-5RVW-257C-FPQ2

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-02T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.",
  "id": "GHSA-5rvw-257c-fpq2",
  "modified": "2022-05-24T17:33:04Z",
  "published": "2022-05-24T17:33:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6014"
    },
    {
      "type": "WEB",
      "url": "https://supportcontent.checkpoint.com/solutions?id=sk168081"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5V9P-R9HP-37JV

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:08
VLAI
Details

Symantec Endpoint Protection Manager (SEPM) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-25T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Symantec Endpoint Protection Manager (SEPM) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead.",
  "id": "GHSA-5v9p-r9hp-37jv",
  "modified": "2024-04-04T00:08:51Z",
  "published": "2022-05-24T16:44:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18367"
    },
    {
      "type": "WEB",
      "url": "https://support.symantec.com/en_US/article.SYMSA1479.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107996"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5VWH-R8F6-4W5C

Vulnerability from github – Published: 2024-03-12 18:31 – Updated: 2024-03-12 18:31
VLAI
Details

Microsoft Exchange Server Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-12T17:15:58Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Exchange Server Remote Code Execution Vulnerability",
  "id": "GHSA-5vwh-r8f6-4w5c",
  "modified": "2024-03-12T18:31:14Z",
  "published": "2024-03-12T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26198"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W6R-H2M8-3MXG

Vulnerability from github – Published: 2025-05-11 18:30 – Updated: 2025-05-23 18:31
VLAI
Details

A vulnerability was found in MTSoftware C-Lodop 6.6.1.1. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-11T16:15:50Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in MTSoftware C-Lodop 6.6.1.1. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.",
  "id": "GHSA-5w6r-h2m8-3mxg",
  "modified": "2025-05-23T18:31:54Z",
  "published": "2025-05-11T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4540"
    },
    {
      "type": "WEB",
      "url": "https://0nightsedge0.github.io/2025/05/14/CVE-2025-4540-C-Lodop"
    },
    {
      "type": "WEB",
      "url": "https://mega.nz/folder/A5lQQKpL#AF3WPzST3X1Ot6B6fs3bow"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.308285"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.308285"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.566789"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5WWW-969V-2V3G

Vulnerability from github – Published: 2022-05-17 02:28 – Updated: 2022-05-17 02:28
VLAI
Details

Untrusted search path vulnerability in Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.9.0.001.001) [Updated on 2017 June 9], (Ver.8.0.001.001) [Updated on 2016 May 31] and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-07T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.9.0.001.001) [Updated on 2017 June 9], (Ver.8.0.001.001) [Updated on 2016 May 31] and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-5www-969v-2v3g",
  "modified": "2022-05-17T02:28:18Z",
  "published": "2022-05-17T02:28:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2188"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN65154137/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.maff.go.jp/j/nousin/seko/nouhin_youryou/densi.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62M8-JX79-7C6Q

Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40
VLAI
Details

Untrusted search path vulnerability in the installer of SaAT Personal ver.1.0.10.272 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-09T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in the installer of SaAT Personal ver.1.0.10.272 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-62m8-jx79-7c6q",
  "modified": "2022-05-17T02:40:38Z",
  "published": "2022-05-17T02:40:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2207"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN08020381/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.saat.jp/information/personal/2017/0531_security_update_info.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62PF-2C82-X5XC

Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30
VLAI
Details

Microsoft SharePoint Server Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T17:15:59Z",
    "severity": "HIGH"
  },
  "details": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
  "id": "GHSA-62pf-2c82-x5xc",
  "modified": "2024-06-11T18:30:49Z",
  "published": "2024-06-11T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30100"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62QH-J3W2-PGRJ

Vulnerability from github – Published: 2022-05-14 03:18 – Updated: 2022-05-14 03:18
VLAI
Details

An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-24T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.",
  "id": "GHSA-62qh-j3w2-pgrj",
  "modified": "2022-05-14T03:18:33Z",
  "published": "2022-05-14T03:18:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2802"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0247"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99360"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6396-M98J-2QHJ

Vulnerability from github – Published: 2025-01-20 03:30 – Updated: 2025-01-20 03:30
VLAI
Details

A vulnerability has been found in obsproject OBS Studio up to 30.0.2 on Windows and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to untrusted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. The vendor disagrees that this issue is "something worth reporting, as every attack surface requires privileged access/user compromise".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-20T03:15:08Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in obsproject OBS Studio up to 30.0.2 on Windows and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to untrusted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. The vendor disagrees that this issue is \"something worth reporting, as every attack surface requires privileged access/user compromise\".",
  "id": "GHSA-6396-m98j-2qhj",
  "modified": "2025-01-20T03:30:51Z",
  "published": "2025-01-20T03:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/obsproject/obs-studio/pull/11569"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.292495"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.292495"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.480875"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-639W-49FR-8W85

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:40
VLAI
Details

Untrusted search path vulnerability in Explzh 5.67 and earlier allows local users to gain privileges via a Trojan horse executable file in the current working directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-10-25T20:01:00Z",
    "severity": "MODERATE"
  },
  "details": "Untrusted search path vulnerability in Explzh 5.67 and earlier allows local users to gain privileges via a Trojan horse executable file in the current working directory.",
  "id": "GHSA-639w-49fr-8w85",
  "modified": "2025-04-11T03:40:38Z",
  "published": "2022-05-13T01:23:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3159"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN85599999/index.html"
    },
    {
      "type": "WEB",
      "url": "http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000043.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ponsoftware.com/en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.