CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-95H3-7WFC-RRJ8
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33Matrix42 Remote Control Host 3.20.0031 contains an unquoted service path vulnerability in the FastViewerRemoteService and FastViewerRemoteProxy services that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can place a malicious executable in the Program Files directory with a crafted name to be executed by the service during startup, gaining elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2016-20095"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T15:16:33Z",
"severity": "HIGH"
},
"details": "Matrix42 Remote Control Host 3.20.0031 contains an unquoted service path vulnerability in the FastViewerRemoteService and FastViewerRemoteProxy services that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can place a malicious executable in the Program Files directory with a crafted name to be executed by the service during startup, gaining elevated privileges.",
"id": "GHSA-95h3-7wfc-rrj8",
"modified": "2026-06-19T15:33:18Z",
"published": "2026-06-19T15:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20095"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39908"
},
{
"type": "WEB",
"url": "https://www.matrix42.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/matrix42-remote-control-host-unquoted-path-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-95JG-FJ9G-2Q86
Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions.
{
"affected": [],
"aliases": [
"CVE-2020-36928"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T00:16:20Z",
"severity": "HIGH"
},
"details": "Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\\Program Files (x86)\\Brother\\BRAgent\\ to inject and execute malicious code with elevated system permissions.",
"id": "GHSA-95jg-fj9g-2q86",
"modified": "2026-01-16T00:30:54Z",
"published": "2026-01-16T00:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36928"
},
{
"type": "WEB",
"url": "https://help.brother-usa.com/app/answers/detail/a_id/174732/~/what-is-bragent%3F"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50010"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/brother-bragent-wbaagentclient-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-96HH-FPGR-2F83
Vulnerability from github – Published: 2026-01-15 18:31 – Updated: 2026-01-15 18:31Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access.
{
"affected": [],
"aliases": [
"CVE-2021-47773"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T16:16:09Z",
"severity": "HIGH"
},
"details": "Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service\u0027s file path to gain Local System access.",
"id": "GHSA-96hh-fpgr-2f83",
"modified": "2026-01-15T18:31:32Z",
"published": "2026-01-15T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47773"
},
{
"type": "WEB",
"url": "https://www.dynojet.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50466"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-96M3-7M8M-WMFF
Vulnerability from github – Published: 2024-07-31 15:31 – Updated: 2024-08-12 21:31A “CWE-428: Unquoted Search Path or Element” affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\ path to attempt a privilege escalation on the local machine.
{
"affected": [],
"aliases": [
"CVE-2024-31201"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-31T14:15:04Z",
"severity": "MODERATE"
},
"details": "A \u201cCWE-428: Unquoted Search Path or Element\u201d affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\\ path to attempt a privilege escalation on the local machine.",
"id": "GHSA-96m3-7m8m-wmff",
"modified": "2024-08-12T21:31:32Z",
"published": "2024-07-31T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31201"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-31201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9736-7XHM-G3FF
Vulnerability from github – Published: 2023-04-29 03:30 – Updated: 2023-04-29 03:30A vulnerability was found in ks-soft Advanced Host Monitor up to 12.56 and classified as problematic. Affected by this issue is some unknown functionality of the file C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe. The manipulation leads to unquoted search path. It is possible to launch the attack on the local host. Upgrading to version 12.60 is able to address this issue. It is recommended to upgrade the affected component. VDB-227714 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-2417"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-29T01:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in ks-soft Advanced Host Monitor up to 12.56 and classified as problematic. Affected by this issue is some unknown functionality of the file C:\\Program Files (x86)\\HostMonitor\\RMA-Win\\rma_active.exe. The manipulation leads to unquoted search path. It is possible to launch the attack on the local host. Upgrading to version 12.60 is able to address this issue. It is recommended to upgrade the affected component. VDB-227714 is the identifier assigned to this vulnerability.",
"id": "GHSA-9736-7xhm-g3ff",
"modified": "2023-04-29T03:30:17Z",
"published": "2023-04-29T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2417"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.227714"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.227714"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172105/Advanced-Host-Monitor-12.56-Unquoted-Service-Path.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-98CC-P3H8-JPVQ
Vulnerability from github – Published: 2026-01-28 15:31 – Updated: 2026-01-28 15:31Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
{
"affected": [],
"aliases": [
"CVE-2020-36990"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T13:15:52Z",
"severity": "HIGH"
},
"details": "Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.",
"id": "GHSA-98cc-p3h8-jpvq",
"modified": "2026-01-28T15:31:30Z",
"published": "2026-01-28T15:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36990"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48795"
},
{
"type": "WEB",
"url": "https://www.inputdirector.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/input-director-input-director-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-993C-4HX4-CG4R
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2020-27645"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-29T21:15:00Z",
"severity": "HIGH"
},
"details": "The Inventory module of the 1E Client 5.0.0.745 doesn\u0027t handle an unquoted path when executing %PROGRAMFILES%\\1E\\Client\\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.",
"id": "GHSA-993c-4hx4-cg4r",
"modified": "2022-05-24T17:37:25Z",
"published": "2022-05-24T17:37:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27645"
},
{
"type": "WEB",
"url": "https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-99JF-RPJR-FWJV
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Attackers can place executable files in unquoted path directories that the wfcs.exe service will execute with LocalSystem privileges upon service restart or system reboot.
{
"affected": [],
"aliases": [
"CVE-2016-20091"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T15:16:32Z",
"severity": "HIGH"
},
"details": "Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Attackers can place executable files in unquoted path directories that the wfcs.exe service will execute with LocalSystem privileges upon service restart or system reboot.",
"id": "GHSA-99jf-rpjr-fwjv",
"modified": "2026-06-19T15:33:18Z",
"published": "2026-06-19T15:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20091"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40443"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/windows-firewall-control-unquoted-service-path-privilege-escalation"
},
{
"type": "WEB",
"url": "http://www.binisoft.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-99MQ-X342-PPQ6
Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-21 18:30OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access.
{
"affected": [],
"aliases": [
"CVE-2021-47864"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T18:16:18Z",
"severity": "HIGH"
},
"details": "OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service\u0027s path, potentially gaining elevated system access.",
"id": "GHSA-99mq-x342-ppq6",
"modified": "2026-01-21T18:30:31Z",
"published": "2026-01-21T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47864"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200817150522/https://www.osas.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49698"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/osas-traverse-extension-travextensionhostsvc-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9CJM-JVQX-XQ8Q
Vulnerability from github – Published: 2025-10-31 18:31 – Updated: 2025-10-31 18:31The service Bizerba Communication Server (BCS) has an unquoted service path. Due to the way Windows searches the executable for the BCS service, malicious programs can be executed.
{
"affected": [],
"aliases": [
"CVE-2025-12507"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T16:15:39Z",
"severity": "HIGH"
},
"details": "The service Bizerba Communication Server (BCS) has an unquoted service path. Due to the way Windows searches the executable for the BCS service, malicious programs can be executed.",
"id": "GHSA-9cjm-jvqx-xq8q",
"modified": "2025-10-31T18:31:14Z",
"published": "2025-10-31T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12507"
},
{
"type": "WEB",
"url": "https://www.bizerba.com/downloads/global/information-security/2025/bizerba-sa-2025-0005.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.