CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-F9JQ-MJRW-MQFW
Vulnerability from github – Published: 2022-05-14 02:57 – Updated: 2022-05-14 02:57Untrusted search path vulnerability in RW-5100 tool to verify execution environment for Windows 7 version 1.1.0.0 and RW-5100 tool to verify execution environment for Windows 8.1 version 1.2.0.0 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2192"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-09T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in RW-5100 tool to verify execution environment for Windows 7 version 1.1.0.0 and RW-5100 tool to verify execution environment for Windows 8.1 version 1.2.0.0 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-f9jq-mjrw-mqfw",
"modified": "2022-05-14T02:57:31Z",
"published": "2022-05-14T02:57:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2192"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN51274854/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99290"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FC4H-467W-46RH
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2024-09-05 00:43A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0a1"
},
{
"fixed": "2.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0a1"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-10875"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:09:48Z",
"nvd_published_at": "2018-07-13T22:29:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.",
"id": "GHSA-fc4h-467w-46rh",
"modified": "2024-09-05T00:43:11Z",
"published": "2022-05-13T01:07:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/issues/42388"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/43583"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/42070"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/ff980afefdbe4ceb828bdb1bb2eef03cf616bf63"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/4cecbe81adbc655d7ab734165d3ac539f8ba5981"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/f32c42c37aaf7b9db93ea3151b2f42a0c4bd8172"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201130165946/http://www.securitytracker.com/id/1041396"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4072-1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-43.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2321"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2166"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2152"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2151"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2150"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ansible Arbitrary Code Execution"
}
GHSA-FCM9-VXQ9-MF94
Vulnerability from github – Published: 2023-11-14 18:30 – Updated: 2023-11-14 18:30A untrusted search path vulnerability in Fortinet FortiClientWindows 7.0.9 allows an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path.
{
"affected": [],
"aliases": [
"CVE-2023-41840"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T18:15:53Z",
"severity": "HIGH"
},
"details": "A untrusted search path vulnerability in Fortinet FortiClientWindows 7.0.9 allows an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path.",
"id": "GHSA-fcm9-vxq9-mf94",
"modified": "2023-11-14T18:30:29Z",
"published": "2023-11-14T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41840"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-274"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FF49-RCWM-77WJ
Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27Untrusted search path vulnerability in Self-extracting encrypted files created by AttacheCase ver.2.8.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2271"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Self-extracting encrypted files created by AttacheCase ver.2.8.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-ff49-rcwm-77wj",
"modified": "2022-05-17T02:27:36Z",
"published": "2022-05-17T02:27:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2271"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN61502349/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFHP-7CCJ-4RPW
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 149640.
{
"affected": [],
"aliases": [
"CVE-2018-1802"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-09T01:29:00Z",
"severity": "HIGH"
},
"details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 149640.",
"id": "GHSA-ffhp-7ccj-4rpw",
"modified": "2022-05-13T01:32:38Z",
"published": "2022-05-13T01:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1802"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149640"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10733122"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105962"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FH68-JJ27-GPHG
Vulnerability from github – Published: 2026-07-14 12:31 – Updated: 2026-07-14 12:31A vulnerability has been identified in COMOS V10.4.5 (All versions < V10.4.5.0.2), COMOS V10.6 (All versions < V10.6.1), Designcenter NX (All versions < V2512.7000), Simcenter 3D (All versions < V2512.7000), Simcenter Femap V2506 (All versions < V2506.0003), Simcenter Femap V2512 (All versions < V2512.0002), Simcenter Nastran (All versions < V2606), Simcenter STAR-CCM+ (All versions < V2606), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Teamcenter Visualization V2412 (All versions < V2412.0012), Teamcenter Visualization V2506 (All versions < V2506.0009), Teamcenter Visualization V2512 (All versions < V2512.2605), Tecnomatix Plant Simulation V2404 (All versions < V2404.0022), Tecnomatix Plant Simulation V2504 (All versions < V2504.0010), Tecnomatix Process Simulate (All versions < V2606). Untrusted search path in IAM Client SDK may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2025-40945"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T10:16:30Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in COMOS V10.4.5 (All versions \u003c V10.4.5.0.2), COMOS V10.6 (All versions \u003c V10.6.1), Designcenter NX (All versions \u003c V2512.7000), Simcenter 3D (All versions \u003c V2512.7000), Simcenter Femap V2506 (All versions \u003c V2506.0003), Simcenter Femap V2512 (All versions \u003c V2512.0002), Simcenter Nastran (All versions \u003c V2606), Simcenter STAR-CCM+ (All versions \u003c V2606), Solid Edge SE2025 (All versions \u003c V225.0 Update 13), Solid Edge SE2026 (All versions \u003c V226.0 Update 04), Teamcenter Visualization V2412 (All versions \u003c V2412.0012), Teamcenter Visualization V2506 (All versions \u003c V2506.0009), Teamcenter Visualization V2512 (All versions \u003c V2512.2605), Tecnomatix Plant Simulation V2404 (All versions \u003c V2404.0022), Tecnomatix Plant Simulation V2504 (All versions \u003c V2504.0010), Tecnomatix Process Simulate (All versions \u003c V2606). Untrusted search path in IAM Client SDK may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-fh68-jj27-gphg",
"modified": "2026-07-14T12:31:14Z",
"published": "2026-07-14T12:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40945"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-288252.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FH7V-R2M4-QWC3
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27Shenzhen Tencent TIM Windows client 3.0.0.21315 has a DLL hijacking vulnerability, which can be exploited by attackers to execute malicious code.
{
"affected": [],
"aliases": [
"CVE-2020-24160"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-03T17:15:00Z",
"severity": "MODERATE"
},
"details": "Shenzhen Tencent TIM Windows client 3.0.0.21315 has a DLL hijacking vulnerability, which can be exploited by attackers to execute malicious code.",
"id": "GHSA-fh7v-r2m4-qwc3",
"modified": "2022-05-24T17:27:19Z",
"published": "2022-05-24T17:27:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24160"
},
{
"type": "WEB",
"url": "https://www.cnvd.org.cn/flaw/show/2105395"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FHC4-5JCH-GG65
Vulnerability from github – Published: 2025-01-31 15:30 – Updated: 2025-01-31 15:30Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.
{
"affected": [],
"aliases": [
"CVE-2025-24828"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-31T13:15:27Z",
"severity": "MODERATE"
},
"details": "Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.",
"id": "GHSA-fhc4-5jch-gg65",
"modified": "2025-01-31T15:30:44Z",
"published": "2025-01-31T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24828"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-7842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJ8R-46Q3-HP4R
Vulnerability from github – Published: 2023-02-23 21:30 – Updated: 2025-03-17 21:30An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2023-23920"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "An untrusted search path vulnerability exists in Node.js. \u003c19.6.1, \u003c18.14.1, \u003c16.19.1, and \u003c14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.",
"id": "GHSA-fj8r-46q3-hp4r",
"modified": "2025-03-17T21:30:22Z",
"published": "2023-02-23T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23920"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230316-0008"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5395"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJCQ-4C82-3M9G
Vulnerability from github – Published: 2022-05-14 02:24 – Updated: 2022-05-14 02:24Untrusted search path vulnerability in Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows local users to gain privileges via a Trojan horse resource in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2016-1014"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-04-09T01:59:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows local users to gain privileges via a Trojan horse resource in an unspecified directory.",
"id": "GHSA-fjcq-4c82-3m9g",
"modified": "2022-05-14T02:24:56Z",
"published": "2022-05-14T02:24:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1014"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-050"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb16-10.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/137532/Adobe-Flash-Player-DLL-Hijacking.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0610.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2016/Jun/39"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/538699/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1035509"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.