CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
895 vulnerabilities reference this CWE, most recent first.
GHSA-C2J7-MGRP-5G3P
Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43Untrusted search path vulnerability in Empirical Project Monitor - eXtended all versions allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2175"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-22T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Empirical Project Monitor - eXtended all versions allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-c2j7-mgrp-5g3p",
"modified": "2022-05-17T02:43:13Z",
"published": "2022-05-17T02:43:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2175"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN12493656/index.html"
},
{
"type": "WEB",
"url": "https://www.ipa.go.jp/sec/info/20170519.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2017-000098"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C2M5-74M2-8279
Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2265"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-c2m5-74m2-8279",
"modified": "2022-05-17T02:27:39Z",
"published": "2022-05-17T02:27:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2265"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN42031953/index.html"
},
{
"type": "WEB",
"url": "http://resumenext.blog.fc2.com/blog-entry-30.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C2XF-G8C5-V9P9
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2018-15983"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-18T17:29:00Z",
"severity": "HIGH"
},
"details": "Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.",
"id": "GHSA-c2xf-g8c5-v9p9",
"modified": "2022-05-14T01:38:49Z",
"published": "2022-05-14T01:38:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15983"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb18-42.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C332-G293-HMXG
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:56DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Free Antivirus Trial 16.0.R18 and earlier allows local users to execute arbitrary code via execution from a compromised folder placed by an attacker with administrator rights.
{
"affected": [],
"aliases": [
"CVE-2019-3646"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-13T13:15:00Z",
"severity": "MODERATE"
},
"details": "DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Free Antivirus Trial 16.0.R18 and earlier allows local users to execute arbitrary code via execution from a compromised folder placed by an attacker with administrator rights.",
"id": "GHSA-c332-g293-hmxg",
"modified": "2024-04-04T01:56:58Z",
"published": "2022-05-24T16:56:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3646"
},
{
"type": "WEB",
"url": "http://service.mcafee.com/FAQDocument.aspx?\u0026id=TS102968"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C363-M38V-37Q6
Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22Untrusted search path vulnerability in Windows 7 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2019-5921"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-12T22:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Windows 7 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-c363-m38v-37q6",
"modified": "2022-05-14T01:22:06Z",
"published": "2022-05-14T01:22:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5921"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN69181574/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107218"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C4C3-F77Q-3VH4
Vulnerability from github – Published: 2022-05-14 03:17 – Updated: 2022-05-14 03:17Adobe InDesign versions 13.0 and below have an exploitable Untrusted Search Path vulnerability. Successful exploitation could lead to local privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2018-4927"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-19T17:29:00Z",
"severity": "HIGH"
},
"details": "Adobe InDesign versions 13.0 and below have an exploitable Untrusted Search Path vulnerability. Successful exploitation could lead to local privilege escalation.",
"id": "GHSA-c4c3-f77q-3vh4",
"modified": "2022-05-14T03:17:15Z",
"published": "2022-05-14T03:17:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4927"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/indesign/apsb18-11.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C4M7-2GWP-VW76
Vulnerability from github – Published: 2026-05-29 21:22 – Updated: 2026-05-29 21:22Impact
A Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.
The vulnerability (CWE-426: Untrusted Search Path & CWE-15: External Control of System Setting) stems from Ouroboros loading the .env file from the current working directory. Prior to the patch, execution-affecting environment variables such as OUROBOROS_CLI_PATH, OPENCODE_CLI_PATH, and other backend selectors were accepted directly from this local .env. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., OUROBOROS_CLI_PATH=./malicious_script.sh). When the user executes a command like ouroboros init or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI.
Patches
The vulnerability has been patched in version 0.39.0 via PR #1078.
The fix establishes a strict trust boundary by applying a denylist to project-local .env loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (~/.ouroboros/.env) remain fully functional.
Users are strongly advised to upgrade to version 0.39.0 or later.
Workarounds
If upgrading is not immediately possible, users must carefully inspect any .env file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected OUROBOROS_*_CLI_PATH or OPENCODE_CLI_PATH overrides.
References
- GitHub PR: https://github.com/Q00/ouroboros/pull/1078
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ouroboros-ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47211"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T21:22:41Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nA Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.\n\nThe vulnerability (CWE-426: Untrusted Search Path \u0026 CWE-15: External Control of System Setting) stems from Ouroboros loading the `.env` file from the current working directory. Prior to the patch, execution-affecting environment variables such as `OUROBOROS_CLI_PATH`, `OPENCODE_CLI_PATH`, and other backend selectors were accepted directly from this local `.env`. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., `OUROBOROS_CLI_PATH=./malicious_script.sh`). When the user executes a command like `ouroboros init` or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI.\n\n### Patches\nThe vulnerability has been patched in version 0.39.0 via PR #1078.\nThe fix establishes a strict trust boundary by applying a denylist to project-local `.env` loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (`~/.ouroboros/.env`) remain fully functional. \n\nUsers are strongly advised to upgrade to version 0.39.0 or later.\n\n### Workarounds\nIf upgrading is not immediately possible, users must carefully inspect any `.env` file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected `OUROBOROS_*_CLI_PATH` or `OPENCODE_CLI_PATH` overrides.\n\n### References\n- GitHub PR: https://github.com/Q00/ouroboros/pull/1078",
"id": "GHSA-c4m7-2gwp-vw76",
"modified": "2026-05-29T21:22:41Z",
"published": "2026-05-29T21:22:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Q00/ouroboros/security/advisories/GHSA-c4m7-2gwp-vw76"
},
{
"type": "WEB",
"url": "https://github.com/Q00/ouroboros/pull/1078"
},
{
"type": "WEB",
"url": "https://github.com/Q00/ouroboros/commit/4e70b760b4eb157469b58645339ba831f6513d37"
},
{
"type": "PACKAGE",
"url": "https://github.com/Q00/ouroboros"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env"
}
GHSA-C4WM-58W2-W4M2
Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27Untrusted search path vulnerability in Self-extracting archive files created by Lhaz+ version 3.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2249"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Self-extracting archive files created by Lhaz+ version 3.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-c4wm-58w2-w4m2",
"modified": "2022-05-17T02:27:36Z",
"published": "2022-05-17T02:27:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2249"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN21369452/index.html"
},
{
"type": "WEB",
"url": "http://chitora.com/jvn21369452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C56C-HF5F-5XJH
Vulnerability from github – Published: 2024-06-16 18:31 – Updated: 2024-08-07 21:31iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.
{
"affected": [],
"aliases": [
"CVE-2024-38462"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-16T16:15:09Z",
"severity": "CRITICAL"
},
"details": "iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.",
"id": "GHSA-c56c-hf5f-5xjh",
"modified": "2024-08-07T21:31:43Z",
"published": "2024-06-16T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38462"
},
{
"type": "WEB",
"url": "https://github.com/irods/irods/issues/7562"
},
{
"type": "WEB",
"url": "https://github.com/irods/irods/issues/7651"
},
{
"type": "WEB",
"url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106"
},
{
"type": "WEB",
"url": "https://irods.org/2024/05/irods-4-3-2-is-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C56H-5FH8-XJPV
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01Adobe Animate CC versions 19.2.1 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2019-7960"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-14T16:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Animate CC versions 19.2.1 and earlier have an insecure library loading (dll hijacking) vulnerability. Successful exploitation could lead to privilege escalation.",
"id": "GHSA-c56h-5fh8-xjpv",
"modified": "2022-05-24T17:01:20Z",
"published": "2022-05-24T17:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7960"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/animate/apsb19-34.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.