Common Weakness Enumeration

CWE-428

Allowed

Unquoted Search Path or Element

Abstraction: Base · Status: Draft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

761 vulnerabilities reference this CWE, most recent first.

GHSA-8GC4-MHF5-X6QM

Vulnerability from github – Published: 2026-02-01 15:32 – Updated: 2026-02-01 15:32
VLAI
Details

SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access during service startup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-01T15:16:04Z",
    "severity": "HIGH"
  },
  "details": "SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access during service startup.",
  "id": "GHSA-8gc4-mhf5-x6qm",
  "modified": "2026-02-01T15:32:31Z",
  "published": "2026-02-01T15:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37055"
    },
    {
      "type": "WEB",
      "url": "https://www.enigmasoftware.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48172"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/spyhunter-spyhunter-service-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8GXF-72XG-W67C

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:58
VLAI
Details

Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs for finding this vulnerability and for reporting it to us.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs for finding this vulnerability and for reporting it to us.",
  "id": "GHSA-8gxf-72xg-w67c",
  "modified": "2024-04-04T01:58:48Z",
  "published": "2022-05-24T16:56:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6145"
    },
    {
      "type": "WEB",
      "url": "https://help.forcepoint.com/security/CVE/CVE-2019-6145.html"
    },
    {
      "type": "WEB",
      "url": "https://safebreach.com/Post/Forcepoint-VPN-Client-for-Windows-Unquoted-Search-Path-and-Potential-Abuses-CVE-2019-6145"
    },
    {
      "type": "WEB",
      "url": "https://support.forcepoint.com/KBArticle?id=000017525"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8JFJ-FR6V-VXCH

Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-02-05 21:32
VLAI
Details

IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T22:15:54Z",
    "severity": "HIGH"
  },
  "details": "IBM Db2 for Windows\u00a012.1.0 - 12.1.3  could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element.",
  "id": "GHSA-8jfj-fr6v-vxch",
  "modified": "2026-02-05T21:32:38Z",
  "published": "2026-01-31T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36384"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7257678"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8JWJ-HRWC-5589

Vulnerability from github – Published: 2025-12-08 12:30 – Updated: 2025-12-08 12:30
VLAI
Details

FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T10:16:01Z",
    "severity": "HIGH"
  },
  "details": "FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers  two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed.",
  "id": "GHSA-8jwj-hrwc-5589",
  "modified": "2025-12-08T12:30:26Z",
  "published": "2025-12-08T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66461"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN59242986"
    },
    {
      "type": "WEB",
      "url": "https://ps.gs-yuasa.com/technicalinfo/pdf/failure/FMP_info20251201_TEX48214-993.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8PP9-95MF-4FHV

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:35
VLAI
Details

Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows.",
  "id": "GHSA-8pp9-95mf-4fhv",
  "modified": "2024-04-04T02:35:55Z",
  "published": "2022-05-24T17:00:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16647"
    },
    {
      "type": "WEB",
      "url": "https://safebreach.com/Post/Maxthon-Browser-for-Windows-Unquoted-Search-Path-and-Potential-Abuses-CVE-2019-16647"
    },
    {
      "type": "WEB",
      "url": "http://forum.maxthon.com/index.php?/topic/24472-unquoted-search-path-and-potential-abuses"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8Q88-X5Q8-WJ38

Vulnerability from github – Published: 2024-04-29 18:30 – Updated: 2024-04-29 18:30
VLAI
Details

Local privilege escalation due to unquoted search path vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 37758.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "Local privilege escalation due to unquoted search path vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 37758.",
  "id": "GHSA-8q88-x5q8-wj38",
  "modified": "2024-04-29T18:30:45Z",
  "published": "2024-04-29T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34010"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7110"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9243-8H4W-G3WG

Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30
VLAI
Details

WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe' to inject malicious executables and escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T00:16:26Z",
    "severity": "HIGH"
  },
  "details": "WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\PROGRAM FILES (X86)\\WIBUKEY\\SERVER\\WkSvW32.exe\u0027 to inject malicious executables and escalate privileges.",
  "id": "GHSA-9243-8h4w-g3wg",
  "modified": "2026-01-16T00:30:55Z",
  "published": "2026-01-16T00:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47810"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49999"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wibukey-runtime-wksvwexe-unquoted-service-path"
    },
    {
      "type": "WEB",
      "url": "https://www.wibu.com"
    },
    {
      "type": "WEB",
      "url": "https://www.wibu.com/us/support/user/downloads-user-software.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-92FW-2MW4-J797

Vulnerability from github – Published: 2022-10-13 12:00 – Updated: 2022-10-14 19:00
VLAI
Details

Dell GeoDrive, versions prior to 2.2, contains an Unquoted File Path vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-12T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell GeoDrive, versions prior to 2.2, contains an Unquoted File Path vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context.",
  "id": "GHSA-92fw-2mw4-j797",
  "modified": "2022-10-14T19:00:42Z",
  "published": "2022-10-13T12:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33920"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000203632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93J2-GQC2-7P2V

Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30
VLAI
Details

Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T00:16:22Z",
    "severity": "HIGH"
  },
  "details": "Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access.",
  "id": "GHSA-93j2-gqc2-7p2v",
  "modified": "2026-01-16T00:30:55Z",
  "published": "2026-01-16T00:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47790"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50273"
    },
    {
      "type": "WEB",
      "url": "https://www.pysoft.com"
    },
    {
      "type": "WEB",
      "url": "https://www.techspot.com/downloads/175-active-webcam.html"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/active-webcam-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9425-QRRG-4G6Q

Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31
VLAI
Details

A code execution security issue exists within Studio 5000 Logix Designer® due to an unquoted search path in the External Tools configuration. The executable paths specified in the external tools configuration file are not properly quoted, and because these paths contain spaces, the operating system may resolve them to unintended executables placed earlier in the search order. If exploited, an attacker could plant a malicious executable in a location within the search path, resulting in arbitrary code execution with the same permissions of the user running the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T16:17:05Z",
    "severity": "HIGH"
  },
  "details": "A code execution security issue exists within\u00a0Studio 5000 Logix Designer\u00ae\u00a0due to an unquoted search path in the External Tools configuration. The executable paths specified in the external\u00a0tools\u00a0configuration\u00a0file are not properly quoted, and because these paths\u00a0contain\u00a0spaces, the operating system may resolve them to unintended executables placed earlier in the search order. If exploited, an attacker could plant a malicious executable in a location within the search path, resulting in arbitrary code execution\u00a0with the same permissions\u00a0of\u00a0the user running the application.",
  "id": "GHSA-9425-qrrg-4g6q",
  "modified": "2026-07-14T18:31:56Z",
  "published": "2026-07-14T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9128"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Properly quote the full search path before executing a program on the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.