Common Weakness Enumeration

CWE-428

Allowed

Unquoted Search Path or Element

Abstraction: Base · Status: Draft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

761 vulnerabilities reference this CWE, most recent first.

GHSA-MWQ2-V3H2-Q84R

Vulnerability from github – Published: 2024-03-12 15:32 – Updated: 2024-03-12 15:32
VLAI
Details

A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. This vulnerability affects the DFServ.exe file. An attacker with local user privileges could exploit this vulnerability to replace the legitimate DFServ.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. Thus, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system or stop the service from running.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-12T15:15:48Z",
    "severity": "HIGH"
  },
  "details": "A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. This vulnerability affects the DFServ.exe file.\u00a0An attacker with local user privileges could exploit this vulnerability to replace the legitimate DFServ.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory.\u00a0Thus, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system or stop the service from running.",
  "id": "GHSA-mwq2-v3h2-q84r",
  "modified": "2024-03-12T15:32:21Z",
  "published": "2024-03-12T15:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1618"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unquoted-item-or-search-path-vulnerability-faronics-deep-freeze-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWW5-Q78W-FFPV

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2026-05-28 18:30
VLAI
Details

Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-5455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-08-25T16:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.",
  "id": "GHSA-mww5-q78w-ffpv",
  "modified": "2026-05-28T18:30:24Z",
  "published": "2022-05-13T01:26:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5455"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CVEProject/cvelist/pull/3909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CVEProject/cvelist/pull/3909/commits/ace34f1cf94602f31760d3eb7ae68e17df8f914d"
    },
    {
      "type": "WEB",
      "url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05325943"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/show/osvdb/109007"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/127439/OpenVPN-Private-Tunnel-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/34037"
    },
    {
      "type": "WEB",
      "url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5192.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXF4-GXW9-74F4

Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-13 00:00
VLAI
Details

An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.",
  "id": "GHSA-mxf4-gxw9-74f4",
  "modified": "2022-04-13T00:00:49Z",
  "published": "2022-04-05T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43458"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198151"
    },
    {
      "type": "WEB",
      "url": "https://github.com/M507/Miner"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49641"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXJ5-2P9R-3838

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30
VLAI
Details

Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-20218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:17:51Z",
    "severity": "HIGH"
  },
  "details": "Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.",
  "id": "GHSA-mxj5-2p9r-3838",
  "modified": "2026-03-16T15:30:41Z",
  "published": "2026-03-16T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20218"
    },
    {
      "type": "WEB",
      "url": "https://blogs.securiteam.com/index.php/archives/3094"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2017050019"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125644"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/142384"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41959"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/serviio-pro-local-privilege-escalation-via-unquoted-path"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5405.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MXMC-G5XC-MM3G

Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30
VLAI
Details

Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T19:16:10Z",
    "severity": "HIGH"
  },
  "details": "Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Disk Sorter Server\\bin\\disksrs.exe\u0027 to inject malicious executables and escalate privileges.",
  "id": "GHSA-mxmc-g5xc-mm3g",
  "modified": "2026-01-16T21:30:37Z",
  "published": "2026-01-16T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47847"
    },
    {
      "type": "WEB",
      "url": "https://www.disksorter.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50013"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/disk-sorter-server-disk-sorter-server-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MXXM-GRWW-GXGP

Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-12 00:00
VLAI
Details

An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.394 via a specially crafted file in the ATService path. .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.394 via a specially crafted file in the ATService path. .",
  "id": "GHSA-mxxm-grww-gxgp",
  "modified": "2022-04-12T00:00:56Z",
  "published": "2022-04-05T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43454"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/M507/Miner"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P229-4HC8-7FPX

Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31
VLAI
Details

BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service's execution context.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T00:15:52Z",
    "severity": "HIGH"
  },
  "details": "BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service\u0027s execution context.",
  "id": "GHSA-p229-4hc8-7fpx",
  "modified": "2026-02-05T00:31:01Z",
  "published": "2026-02-05T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25275"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47675"
    },
    {
      "type": "WEB",
      "url": "https://www.filehorse.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/bartvpn-bartvpnservice-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P267-5W4M-PPRH

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-02-10 00:00
VLAI
Details

A local unquoted search path security vulnerability has been identified in HPE Agentless Management Service for Windows version(s): Prior to 1.44.0.0, 10.96.0.0. This vulnerability could be exploited locally by a user with high privileges to execute malware that may lead to a loss of confidentiality, integrity, and availability. HPE has provided software updates to resolve the vulnerability in HPE Agentless Management Service for Windows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A local unquoted search path security vulnerability has been identified in HPE Agentless Management Service for Windows version(s): Prior to 1.44.0.0, 10.96.0.0. This vulnerability could be exploited locally by a user with high privileges to execute malware that may lead to a loss of confidentiality, integrity, and availability. HPE has provided software updates to resolve the vulnerability in HPE Agentless Management Service for Windows.",
  "id": "GHSA-p267-5w4m-pprh",
  "modified": "2022-02-10T00:00:42Z",
  "published": "2022-02-10T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29218"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbgn04233en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P2MJ-Q764-7J4J

Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-21 18:30
VLAI
Details

WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files \WINPAKPRO\ScheduleService Service.exe' to inject malicious code that would execute during service startup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-21T18:16:18Z",
    "severity": "HIGH"
  },
  "details": "WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in \u0027C:\\Program Files \u003cx86\u003e\\WINPAKPRO\\ScheduleService Service.exe\u0027 to inject malicious code that would execute during service startup.",
  "id": "GHSA-p2mj-q764-7j4j",
  "modified": "2026-01-21T18:30:31Z",
  "published": "2026-01-21T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47867"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49691"
    },
    {
      "type": "WEB",
      "url": "https://www.security.honeywell.com/product-repository/winpak"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/win-pack-pro-scheduleservice-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P35X-5893-X6GP

Vulnerability from github – Published: 2024-02-19 06:30 – Updated: 2025-03-25 18:30
VLAI
Details

An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-19T06:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.",
  "id": "GHSA-p35x-5893-x6gp",
  "modified": "2025-03-25T18:30:25Z",
  "published": "2024-02-19T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24722"
    },
    {
      "type": "WEB",
      "url": "https://files.12dsynergy.com/downloads/download.aspx"
    },
    {
      "type": "WEB",
      "url": "https://help.12dsynergy.com/v1/docs/cve-2024-24722"
    },
    {
      "type": "WEB",
      "url": "https://www.12dsynergy.com/security-statement"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Properly quote the full search path before executing a program on the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.