Common Weakness Enumeration

CWE-428

Allowed

Unquoted Search Path or Element

Abstraction: Base · Status: Draft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

761 vulnerabilities reference this CWE, most recent first.

GHSA-5VW3-9MWR-56V3

Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-12-08 18:30
VLAI
Details

An unquoted search path or element vulnerability has been reported to affect NetBak Replicator. If a local attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands.

We have already fixed the vulnerability in the following version: NetBak Replicator 4.5.15.0807 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T19:15:50Z",
    "severity": "HIGH"
  },
  "details": "An unquoted search path or element vulnerability has been reported to affect NetBak Replicator. If a local attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following version:\nNetBak Replicator 4.5.15.0807 and later",
  "id": "GHSA-5vw3-9mwr-56v3",
  "modified": "2025-12-08T18:30:24Z",
  "published": "2025-10-03T21:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57714"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-39"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5W6R-H2M8-3MXG

Vulnerability from github – Published: 2025-05-11 18:30 – Updated: 2025-05-23 18:31
VLAI
Details

A vulnerability was found in MTSoftware C-Lodop 6.6.1.1. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-11T16:15:50Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in MTSoftware C-Lodop 6.6.1.1. It has been rated as critical. This issue affects some unknown processing of the component CLodopPrintService. The manipulation leads to unquoted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 6.6.13 is able to address this issue. It is recommended to upgrade the affected component.",
  "id": "GHSA-5w6r-h2m8-3mxg",
  "modified": "2025-05-23T18:31:54Z",
  "published": "2025-05-11T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4540"
    },
    {
      "type": "WEB",
      "url": "https://0nightsedge0.github.io/2025/05/14/CVE-2025-4540-C-Lodop"
    },
    {
      "type": "WEB",
      "url": "https://mega.nz/folder/A5lQQKpL#AF3WPzST3X1Ot6B6fs3bow"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.308285"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.308285"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.566789"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5WPM-3W6M-74WV

Vulnerability from github – Published: 2022-05-14 01:04 – Updated: 2022-05-14 01:04
VLAI
Details

In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-24T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user.",
  "id": "GHSA-5wpm-3w6m-74wv",
  "modified": "2022-05-14T01:04:57Z",
  "published": "2022-05-14T01:04:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16098"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/bg/en/product_security/len-24573"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WW3-F86G-J763

Vulnerability from github – Published: 2026-01-28 15:31 – Updated: 2026-01-28 15:31
VLAI
Details

Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T13:15:51Z",
    "severity": "HIGH"
  },
  "details": "Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot.",
  "id": "GHSA-5ww3-f86g-j763",
  "modified": "2026-01-28T15:31:30Z",
  "published": "2026-01-28T15:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36986"
    },
    {
      "type": "WEB",
      "url": "https://preyproject.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48967"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/prey-cronservice-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5X8C-V227-PCXW

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

In Windscribe v1.83 Build 20, 'WindscribeService' has an Unquoted Service Path that facilitates privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-10T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Windscribe v1.83 Build 20, \u0027WindscribeService\u0027 has an Unquoted Service Path that facilitates privilege escalation.",
  "id": "GHSA-5x8c-v227-pcxw",
  "modified": "2022-05-24T19:01:55Z",
  "published": "2022-05-24T19:01:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22809"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6348-W693-WJ25

Vulnerability from github – Published: 2025-10-10 06:30 – Updated: 2025-10-10 06:30
VLAI
Details

NAS Navigator2 Windows version by BUFFALO INC. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-10T05:15:33Z",
    "severity": "HIGH"
  },
  "details": "NAS Navigator2 Windows version by BUFFALO INC. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.",
  "id": "GHSA-6348-w693-wj25",
  "modified": "2025-10-10T06:30:55Z",
  "published": "2025-10-10T06:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61871"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN69099112"
    },
    {
      "type": "WEB",
      "url": "https://www.buffalo.jp/news/detail/20251009-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-634R-5WP4-57X4

Vulnerability from github – Published: 2022-04-06 00:01 – Updated: 2022-04-13 00:00
VLAI
Details

There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a "C:\Program Files\Sherpa Software\Sherpa.exe" file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-05T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a \"C:\\Program Files\\Sherpa Software\\Sherpa.exe\" file.",
  "id": "GHSA-634r-5wp4-57x4",
  "modified": "2022-04-13T00:00:43Z",
  "published": "2022-04-06T00:01:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netsectuna/CVE-2022-23909"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166574/Sherpa-Connector-Service-2020.2.20328.2050-Unquoted-Service-Path.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6475-Q4QM-387R

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, the attacker could turn off Special:CheckUserLog and thus interfere with usage tracking.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-22T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, the attacker could turn off Special:CheckUserLog and thus interfere with usage tracking.",
  "id": "GHSA-6475-q4qm-387r",
  "modified": "2022-05-24T17:48:08Z",
  "published": "2022-05-24T17:48:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31553"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/666963"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/666964"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/667023"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/667024"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/667025"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/667027"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T275669"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-64W2-CVG8-Q3C3

Vulnerability from github – Published: 2026-01-30 18:31 – Updated: 2026-01-30 18:31
VLAI
Details

Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T17:16:11Z",
    "severity": "HIGH"
  },
  "details": "Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup.",
  "id": "GHSA-64w2-cvg8-q3c3",
  "modified": "2026-01-30T18:31:15Z",
  "published": "2026-01-30T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37058"
    },
    {
      "type": "WEB",
      "url": "https://andreaelectronics.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48396"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/andrea-st-filters-service-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-656V-64RF-6VXR

Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30
VLAI
Details

iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T00:16:24Z",
    "severity": "HIGH"
  },
  "details": "iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts.",
  "id": "GHSA-656v-64rf-6vxr",
  "modified": "2026-01-16T00:30:55Z",
  "published": "2026-01-16T00:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47803"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50040"
    },
    {
      "type": "WEB",
      "url": "https://www.i-funbox.com/en/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/ifunbox-apple-mobile-device-service-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Properly quote the full search path before executing a program on the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.