Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

892 vulnerabilities reference this CWE, most recent first.

GHSA-J2F2-77F8-CGRM

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:29
VLAI
Details

NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option, Ghidra will try to execute the cmd.exe program from this working directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-16T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the \"Ghidra Codebrowser \u003e Window \u003e Python\" option, Ghidra will try to execute the cmd.exe program from this working directory.",
  "id": "GHSA-j2f2-77f8-cgrm",
  "modified": "2024-04-04T02:29:07Z",
  "published": "2022-05-24T16:58:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17664"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/ghidra/issues/107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J36W-RCVV-VQMX

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Drive before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-31T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Drive before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory.",
  "id": "GHSA-j36w-rcvv-vqmx",
  "modified": "2022-05-13T01:38:17Z",
  "published": "2022-05-13T01:38:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11158"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/en-global/support/security/Synology_SA_17_51_Cloud_Station_Drive"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3GV-X7FR-5WQW

Vulnerability from github – Published: 2025-11-10 18:30 – Updated: 2025-11-10 18:30
VLAI
Details

The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to MacOS and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T18:16:06Z",
    "severity": "MODERATE"
  },
  "details": "The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to MacOS and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.",
  "id": "GHSA-j3gv-x7fr-5wqw",
  "modified": "2025-11-10T18:30:35Z",
  "published": "2025-11-10T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43079"
    },
    {
      "type": "WEB",
      "url": "https://www.qualys.com/security-advisories/cve-2025-43079"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4J9-7HG9-97G6

Vulnerability from github – Published: 2022-10-11 20:41 – Updated: 2025-04-09 20:06
VLAI
Summary
Poetry vulnerable to Untrusted Search Path leading to Local Code Execution on Windows
Details

Observation

To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. git config. These commands are being executed using the executable’s name and not its absolute path.

This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the PATH environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named git.exe which would be executed by Poetry.

Poetry calls executables by name when handling dependencies from Git. Note that there might be even more places where Poetry calls executables by name.

Impact

This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make

sure nothing can happen, e.g. by checking that the referenced Git dependency is not malicious and points to a trusted Git repository. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on, so we believe that there is a non-negligible risk.

Patches

1.1.9 || 1.2.0b1

Remediation

Upgrade to version 1.1.9 || 1.2.0b1

References

Fix PR

For more information

If you have any questions or comments about this advisory: * Email us at security@python-poetry.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "poetry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-11T20:41:47Z",
    "nvd_published_at": "2022-09-07T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Observation\n\nTo handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path.\n\nThis can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named `git.exe` which would be executed by Poetry.\n\nPoetry calls executables by name when handling dependencies from Git. Note that there might be even more places where Poetry calls executables by name.\n\n### Impact\n\nThis vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems.\nSince this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make\n \nsure nothing can happen, e.g. by checking that the referenced Git dependency is not malicious and points to a trusted Git repository.\nThe victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on, so we believe that there is a non-negligible risk.\n\n### Patches\n\n1.1.9 || 1.2.0b1\n\n### Remediation\n\nUpgrade to version 1.1.9 || 1.2.0b1\n\n### References\n\n[Fix PR](https://github.com/python-poetry/poetry-core/pull/204)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@python-poetry.org](mailto:security@python-poetry.org)",
  "id": "GHSA-j4j9-7hg9-97g6",
  "modified": "2025-04-09T20:06:43Z",
  "published": "2022-10-11T20:41:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-43179.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-poetry/poetry"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Poetry vulnerable to Untrusted Search Path leading to Local Code Execution on Windows"
}

GHSA-J4QC-XG6G-J9FH

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30
VLAI
Details
                A local low privileged attacker can use an untrusted search path in a CHARX system utility to gain root

privileges. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:16:36Z",
    "severity": "HIGH"
  },
  "details": "\n\t\n\t\t\n\t\t\n\t\n\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\tA local low privileged attacker can use an untrusted search path in a\u00a0CHARX system utility to gain\u00a0root\nprivileges.\u00a0\n\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\n\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\n",
  "id": "GHSA-j4qc-xg6g-j9fh",
  "modified": "2024-05-14T18:30:59Z",
  "published": "2024-05-14T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28133"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4XV-VQ4C-X7JR

Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-06-03 00:00
VLAI
Details

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-20T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.",
  "id": "GHSA-j4xv-vq4c-x7jr",
  "modified": "2022-06-03T00:00:56Z",
  "published": "2022-05-21T00:01:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28964"
    },
    {
      "type": "WEB",
      "url": "https://forum.avast.com/index.php?topic=317641.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2022-AVAST1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J535-FRF7-672M

Vulnerability from github – Published: 2022-05-14 03:17 – Updated: 2022-05-14 03:17
VLAI
Details

Untrusted search path vulnerability in CELSYS, Inc CLIP STUDIO series (CLIP STUDIO PAINT (for Windows) EX/PRO/DEBUT Ver.1.7.3 and earlier, CLIP STUDIO ACTION (for Windows) Ver.1.5.5 and earlier, with its timestamp prior to April 25, 2018, 12:11:31, and CLIP STUDIO MODELER (for Windows) Ver.1.6.3 and earlier, with its timestamp prior to April 25, 2018, 17:02:49) allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-14T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in CELSYS, Inc CLIP STUDIO series (CLIP STUDIO PAINT (for Windows) EX/PRO/DEBUT Ver.1.7.3 and earlier, CLIP STUDIO ACTION (for Windows) Ver.1.5.5 and earlier, with its timestamp prior to April 25, 2018, 12:11:31, and CLIP STUDIO MODELER (for Windows) Ver.1.6.3 and earlier, with its timestamp prior to April 25, 2018, 17:02:49) allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-j535-frf7-672m",
  "modified": "2022-05-14T03:17:26Z",
  "published": "2022-05-14T03:17:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0580"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN68345747"
    },
    {
      "type": "WEB",
      "url": "https://www.clip-studio.com/clip_site/download/clipstudioaction/csaupdater/index_win"
    },
    {
      "type": "WEB",
      "url": "http://www.clipstudio.net/en/dl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5R8-XQJR-9RQ4

Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40
VLAI
Details

Untrusted search path vulnerability in PatchJGD (Hyoko) (PatchJGDh101.EXE) ver. 1.0.1 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-09T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in PatchJGD (Hyoko) (PatchJGDh101.EXE) ver. 1.0.1 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-j5r8-xqjr-9rq4",
  "modified": "2022-05-17T02:40:12Z",
  "published": "2022-05-17T02:40:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2211"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN52691241/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.gsi.go.jp/sokuchikijun/sokuchikijun41011.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J67V-2MW8-JJ8W

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

Untrusted search path vulnerability in The Installer of Overwolf 2.168.0.n and earlier allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-24T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in The Installer of Overwolf 2.168.0.n and earlier allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-j67v-2mw8-jj8w",
  "modified": "2022-05-24T19:03:08Z",
  "published": "2022-05-24T19:03:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20726"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN78254777/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.overwolf.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J6CV-GHPP-PHC2

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2025-05-05 18:30
VLAI
Details

Adobe ColdFusion 2016 update 15 and earlier versions, and ColdFusion 2018 update 9 and earlier versions have a dll search-order hijacking vulnerability. Successful exploitation could lead to privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-17T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe ColdFusion 2016 update 15 and earlier versions, and ColdFusion 2018 update 9 and earlier versions have a dll search-order hijacking vulnerability. Successful exploitation could lead to privilege escalation.",
  "id": "GHSA-j6cv-ghpp-phc2",
  "modified": "2025-05-05T18:30:45Z",
  "published": "2022-05-24T17:23:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9672"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb20-43.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.