CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-JC49-Q8PM-MWX9
Vulnerability from github – Published: 2026-01-27 21:31 – Updated: 2026-01-27 21:31Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files\IDT\WDM\AESTSr64.exe' to inject malicious code that would execute during service startup or system reboot.
{
"affected": [],
"aliases": [
"CVE-2020-36974"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-27T19:16:09Z",
"severity": "HIGH"
},
"details": "Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\IDT\\WDM\\AESTSr64.exe\u0027 to inject malicious code that would execute during service startup or system reboot.",
"id": "GHSA-jc49-q8pm-mwx9",
"modified": "2026-01-27T21:31:46Z",
"published": "2026-01-27T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36974"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49158"
},
{
"type": "WEB",
"url": "https://www.realtek.com/en"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/realtek-andrea-rt-filters-aertsrexe-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCMJ-4X77-VHPR
Vulnerability from github – Published: 2025-12-05 18:31 – Updated: 2025-12-05 18:31Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the 'sc qc' command, allowing them to execute arbitrary system commands.
{
"affected": [],
"aliases": [
"CVE-2020-36879"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-05T18:15:53Z",
"severity": "HIGH"
},
"details": "Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the \u0027sc qc\u0027 command, allowing them to execute arbitrary system commands.",
"id": "GHSA-jcmj-4x77-vhpr",
"modified": "2025-12-05T18:31:12Z",
"published": "2025-12-05T18:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36879"
},
{
"type": "WEB",
"url": "https://www.diskboss.com"
},
{
"type": "WEB",
"url": "https://www.diskboss.com/downloads.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49022"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/flexsense-diskboss-service-unquoted-service-path-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCWP-Q8H7-72PM
Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-21 18:30Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup.
{
"affected": [],
"aliases": [
"CVE-2021-47883"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T18:16:22Z",
"severity": "HIGH"
},
"details": "Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup.",
"id": "GHSA-jcwp-q8h7-72pm",
"modified": "2026-01-21T18:30:31Z",
"published": "2026-01-21T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47883"
},
{
"type": "WEB",
"url": "https://sandboxie-plus.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49631"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sandboxie-plus-sbiesvc-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JFFX-85PQ-VRR5
Vulnerability from github – Published: 2025-12-22 15:30 – Updated: 2026-06-04 09:30Unquoted Search Path or Element vulnerability in NetBT Consulting Services Inc. E-Fatura allows Leveraging/Manipulating Configuration File Search Paths, Redirect Access to Libraries.This issue affects e-Fatura: before 1.2.15.
{
"affected": [],
"aliases": [
"CVE-2025-14018"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-22T14:15:59Z",
"severity": "HIGH"
},
"details": "Unquoted Search Path or Element vulnerability in NetBT Consulting Services Inc. E-Fatura allows Leveraging/Manipulating Configuration File Search Paths, Redirect Access to Libraries.This issue affects e-Fatura: before 1.2.15.",
"id": "GHSA-jffx-85pq-vrr5",
"modified": "2026-06-04T09:30:34Z",
"published": "2025-12-22T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14018"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0474"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0474"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JFJH-6GVQ-RJX3
Vulnerability from github – Published: 2022-05-17 03:40 – Updated: 2022-05-17 03:40Unquoted Windows search path vulnerability in Moxa Active OPC Server before 2.4.19 allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory.
{
"affected": [],
"aliases": [
"CVE-2016-5793"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-24T10:59:00Z",
"severity": "HIGH"
},
"details": "Unquoted Windows search path vulnerability in Moxa Active OPC Server before 2.4.19 allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory.",
"id": "GHSA-jfjh-6gvq-rjx3",
"modified": "2022-05-17T03:40:12Z",
"published": "2022-05-17T03:40:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5793"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-264-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93046"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JFMW-RHF3-688H
Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-05-27 00:00Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
{
"affected": [],
"aliases": [
"CVE-2022-27094"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.",
"id": "GHSA-jfmw-rhf3-688h",
"modified": "2022-05-27T00:00:45Z",
"published": "2022-05-21T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27094"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50817"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JFQX-FXH3-C62J
Vulnerability from github – Published: 2026-04-03 02:38 – Updated: 2026-04-06 23:10Impact
On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.
On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.
Workarounds
Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "38.8.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0-alpha.1"
},
{
"fixed": "39.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "40.0.0-alpha.1"
},
{
"fixed": "40.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "41.0.0-alpha.1"
},
{
"fixed": "41.0.0-beta.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34768"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T02:38:08Z",
"nvd_published_at": "2026-04-04T00:16:17Z",
"severity": "LOW"
},
"details": "### Impact\nOn Windows, `app.setLoginItemSettings({openAtLogin: true})` wrote the executable path to the `Run` registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.\n\nOn a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.\n\n### Workarounds\nInstall the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.\n\n### Fixed Versions\n* `41.0.0-beta.8`\n* `40.8.0`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-jfqx-fxh3-c62j",
"modified": "2026-04-06T23:10:34Z",
"published": "2026-04-03T02:38:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34768"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Electron: Unquoted executable path in app.setLoginItemSettings on Windows"
}
GHSA-JGMP-9P3R-PCGR
Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions.
{
"affected": [],
"aliases": [
"CVE-2019-25276"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T00:15:52Z",
"severity": "HIGH"
},
"details": "Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\ to inject malicious code that would execute with LocalSystem permissions.",
"id": "GHSA-jgmp-9p3r-pcgr",
"modified": "2026-02-05T00:31:01Z",
"published": "2026-02-05T00:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25276"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47676"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en_NA/overview.page"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/studio-logix-designer-factorytalk-activation-service-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JQRW-QRP2-9PG2
Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe' to inject malicious executables and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2020-36927"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T00:16:19Z",
"severity": "HIGH"
},
"details": "DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Disk Pulse Enterprise\\bin\\diskpls.exe\u0027 to inject malicious executables and escalate privileges.",
"id": "GHSA-jqrw-qrp2-9pg2",
"modified": "2026-01-16T00:30:54Z",
"published": "2026-01-16T00:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36927"
},
{
"type": "WEB",
"url": "https://www.diskpulse.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50012"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/diskpulse-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JV2H-2W94-CHWV
Vulnerability from github – Published: 2026-01-27 21:31 – Updated: 2026-01-27 21:31Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup.
{
"affected": [],
"aliases": [
"CVE-2020-36982"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-27T19:16:11Z",
"severity": "HIGH"
},
"details": "Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup.",
"id": "GHSA-jv2h-2w94-chwv",
"modified": "2026-01-27T21:31:47Z",
"published": "2026-01-27T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36982"
},
{
"type": "WEB",
"url": "https://motorola-device-manager.programas-gratis.net/gracias"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49012"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/motorola-device-manager-motohelperserviceexe-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.