Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

895 vulnerabilities reference this CWE, most recent first.

GHSA-C2J7-MGRP-5G3P

Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43
VLAI
Details

Untrusted search path vulnerability in Empirical Project Monitor - eXtended all versions allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-22T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Empirical Project Monitor - eXtended all versions allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-c2j7-mgrp-5g3p",
  "modified": "2022-05-17T02:43:13Z",
  "published": "2022-05-17T02:43:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2175"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN12493656/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.ipa.go.jp/sec/info/20170519.html"
    },
    {
      "type": "WEB",
      "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2017-000098"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2M5-74M2-8279

Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27
VLAI
Details

Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-c2m5-74m2-8279",
  "modified": "2022-05-17T02:27:39Z",
  "published": "2022-05-17T02:27:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2265"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN42031953/index.html"
    },
    {
      "type": "WEB",
      "url": "http://resumenext.blog.fc2.com/blog-entry-30.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2XF-G8C5-V9P9

Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38
VLAI
Details

Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-18T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.",
  "id": "GHSA-c2xf-g8c5-v9p9",
  "modified": "2022-05-14T01:38:49Z",
  "published": "2022-05-14T01:38:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15983"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb18-42.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C332-G293-HMXG

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:56
VLAI
Details

DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Free Antivirus Trial 16.0.R18 and earlier allows local users to execute arbitrary code via execution from a compromised folder placed by an attacker with administrator rights.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-13T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Free Antivirus Trial 16.0.R18 and earlier allows local users to execute arbitrary code via execution from a compromised folder placed by an attacker with administrator rights.",
  "id": "GHSA-c332-g293-hmxg",
  "modified": "2024-04-04T01:56:58Z",
  "published": "2022-05-24T16:56:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3646"
    },
    {
      "type": "WEB",
      "url": "http://service.mcafee.com/FAQDocument.aspx?\u0026id=TS102968"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C363-M38V-37Q6

Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22
VLAI
Details

Untrusted search path vulnerability in Windows 7 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-12T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Windows 7 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-c363-m38v-37q6",
  "modified": "2022-05-14T01:22:06Z",
  "published": "2022-05-14T01:22:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5921"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN69181574/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107218"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4C3-F77Q-3VH4

Vulnerability from github – Published: 2022-05-14 03:17 – Updated: 2022-05-14 03:17
VLAI
Details

Adobe InDesign versions 13.0 and below have an exploitable Untrusted Search Path vulnerability. Successful exploitation could lead to local privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-19T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe InDesign versions 13.0 and below have an exploitable Untrusted Search Path vulnerability. Successful exploitation could lead to local privilege escalation.",
  "id": "GHSA-c4c3-f77q-3vh4",
  "modified": "2022-05-14T03:17:15Z",
  "published": "2022-05-14T03:17:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4927"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/indesign/apsb18-11.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103716"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4M7-2GWP-VW76

Vulnerability from github – Published: 2026-05-29 21:22 – Updated: 2026-05-29 21:22
VLAI
Summary
ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env
Details

Impact

A Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.

The vulnerability (CWE-426: Untrusted Search Path & CWE-15: External Control of System Setting) stems from Ouroboros loading the .env file from the current working directory. Prior to the patch, execution-affecting environment variables such as OUROBOROS_CLI_PATH, OPENCODE_CLI_PATH, and other backend selectors were accepted directly from this local .env. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., OUROBOROS_CLI_PATH=./malicious_script.sh). When the user executes a command like ouroboros init or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI.

Patches

The vulnerability has been patched in version 0.39.0 via PR #1078. The fix establishes a strict trust boundary by applying a denylist to project-local .env loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (~/.ouroboros/.env) remain fully functional.

Users are strongly advised to upgrade to version 0.39.0 or later.

Workarounds

If upgrading is not immediately possible, users must carefully inspect any .env file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected OUROBOROS_*_CLI_PATH or OPENCODE_CLI_PATH overrides.

References

  • GitHub PR: https://github.com/Q00/ouroboros/pull/1078
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ouroboros-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T21:22:41Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nA Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.\n\nThe vulnerability (CWE-426: Untrusted Search Path \u0026 CWE-15: External Control of System Setting) stems from Ouroboros loading the `.env` file from the current working directory. Prior to the patch, execution-affecting environment variables such as `OUROBOROS_CLI_PATH`, `OPENCODE_CLI_PATH`, and other backend selectors were accepted directly from this local `.env`. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., `OUROBOROS_CLI_PATH=./malicious_script.sh`). When the user executes a command like `ouroboros init` or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI.\n\n### Patches\nThe vulnerability has been patched in version 0.39.0 via PR #1078.\nThe fix establishes a strict trust boundary by applying a denylist to project-local `.env` loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (`~/.ouroboros/.env`) remain fully functional. \n\nUsers are strongly advised to upgrade to version 0.39.0 or later.\n\n### Workarounds\nIf upgrading is not immediately possible, users must carefully inspect any `.env` file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected `OUROBOROS_*_CLI_PATH` or `OPENCODE_CLI_PATH` overrides.\n\n### References\n- GitHub PR: https://github.com/Q00/ouroboros/pull/1078",
  "id": "GHSA-c4m7-2gwp-vw76",
  "modified": "2026-05-29T21:22:41Z",
  "published": "2026-05-29T21:22:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Q00/ouroboros/security/advisories/GHSA-c4m7-2gwp-vw76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Q00/ouroboros/pull/1078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Q00/ouroboros/commit/4e70b760b4eb157469b58645339ba831f6513d37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Q00/ouroboros"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env"
}

GHSA-C4WM-58W2-W4M2

Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27
VLAI
Details

Untrusted search path vulnerability in Self-extracting archive files created by Lhaz+ version 3.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Self-extracting archive files created by Lhaz+ version 3.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-c4wm-58w2-w4m2",
  "modified": "2022-05-17T02:27:36Z",
  "published": "2022-05-17T02:27:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2249"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN21369452/index.html"
    },
    {
      "type": "WEB",
      "url": "http://chitora.com/jvn21369452.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C56C-HF5F-5XJH

Vulnerability from github – Published: 2024-06-16 18:31 – Updated: 2024-08-07 21:31
VLAI
Details

iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-16T16:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.",
  "id": "GHSA-c56c-hf5f-5xjh",
  "modified": "2024-08-07T21:31:43Z",
  "published": "2024-06-16T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38462"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irods/irods/issues/7562"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irods/irods/issues/7651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106"
    },
    {
      "type": "WEB",
      "url": "https://irods.org/2024/05/irods-4-3-2-is-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C56H-5FH8-XJPV

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01
VLAI
Details

Adobe Animate CC versions 19.2.1 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-14T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Animate CC versions 19.2.1 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.",
  "id": "GHSA-c56h-5fh8-xjpv",
  "modified": "2022-05-24T17:01:20Z",
  "published": "2022-05-24T17:01:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7960"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/animate/apsb19-34.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.