CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-V9MC-W4G8-M32W
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59Uncontrolled search path in some Intel(R) NUC Chaco Canyon BIOS update software before version iFlashV Windows 5.13.00.2105 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-38101"
],
"database_specific": {
"cwe_ids": [
"CWE-427",
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:13Z",
"severity": "HIGH"
},
"details": "Uncontrolled search path in some Intel(R) NUC Chaco Canyon BIOS update software before version iFlashV Windows 5.13.00.2105 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-v9mc-w4g8-m32w",
"modified": "2024-04-04T03:59:23Z",
"published": "2023-05-10T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38101"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00780.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VCPC-5M37-QV5V
Vulnerability from github – Published: 2025-11-05 09:30 – Updated: 2025-11-05 09:30Optical Disc Archive Software provided by Sony Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
{
"affected": [],
"aliases": [
"CVE-2025-62225"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-05T07:15:33Z",
"severity": "HIGH"
},
"details": "Optical Disc Archive Software provided by Sony Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.",
"id": "GHSA-vcpc-5m37-qv5v",
"modified": "2025-11-05T09:30:25Z",
"published": "2025-11-05T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62225"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN81917433"
},
{
"type": "WEB",
"url": "https://www.sony.jp/oda/application/?srsltid=AfmBOoo8t7k-alQo7ZnV2MAhq8qfIJtFOJN41U2Tu-B1yrpx3Y_KHurk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VCQW-5625-54XG
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.
{
"affected": [],
"aliases": [
"CVE-2020-37253"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T15:16:34Z",
"severity": "HIGH"
},
"details": "Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.",
"id": "GHSA-vcqw-5625-54xg",
"modified": "2026-06-19T15:33:18Z",
"published": "2026-06-19T15:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37253"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49004"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/winstep-unquoted-service-path-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VCW8-RV56-C6JQ
Vulnerability from github – Published: 2022-04-02 00:00 – Updated: 2022-04-09 00:00Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.
{
"affected": [],
"aliases": [
"CVE-2022-27965"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-31T23:15:00Z",
"severity": "MODERATE"
},
"details": "Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.",
"id": "GHSA-vcw8-rv56-c6jq",
"modified": "2022-04-09T00:00:50Z",
"published": "2022-04-02T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27965"
},
{
"type": "WEB",
"url": "https://github.com/ycdxsb/Vuln/tree/main/NetSarang-CreateProcessW-Misuse-Binary-Hijack/Xlpd-CreateProcessW-Misuse-Binary-Hijack"
},
{
"type": "WEB",
"url": "https://www.netsarang.com/en/xlpd-update-history"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VCXH-HFRR-5F7F
Vulnerability from github – Published: 2023-03-16 12:30 – Updated: 2023-03-22 18:30VX Search v13.8 and v14.7 was discovered to contain an unquoted service path vulnerability which allows attackers to execute arbitrary commands at elevated privileges via a crafted executable file.
{
"affected": [],
"aliases": [
"CVE-2023-24671"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-16T12:15:00Z",
"severity": "HIGH"
},
"details": "VX Search v13.8 and v14.7 was discovered to contain an unquoted service path vulnerability which allows attackers to execute arbitrary commands at elevated privileges via a crafted executable file.",
"id": "GHSA-vcxh-hfrr-5f7f",
"modified": "2023-03-22T18:30:39Z",
"published": "2023-03-16T12:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24671"
},
{
"type": "WEB",
"url": "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/171300/VX-Search-13.8-Unquoted-Service-Path.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJVV-QRP6-VQ73
Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2021-47809"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T00:16:25Z",
"severity": "HIGH"
},
"details": "Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Disk Sorter Enterprise\\bin\\disksrs.exe\u0027 to inject malicious executables and escalate privileges.",
"id": "GHSA-vjvv-qrp6-vq73",
"modified": "2026-01-16T00:30:55Z",
"published": "2026-01-16T00:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47809"
},
{
"type": "WEB",
"url": "https://www.disksorter.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50014"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/disk-sorter-enterprise-disk-sorter-enterprise-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VM63-8W76-P82F
Vulnerability from github – Published: 2026-01-23 18:31 – Updated: 2026-01-23 18:31PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges.
{
"affected": [],
"aliases": [
"CVE-2021-47896"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T17:15:58Z",
"severity": "HIGH"
},
"details": "PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges.",
"id": "GHSA-vm63-8w76-p82f",
"modified": "2026-01-23T18:31:29Z",
"published": "2026-01-23T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47896"
},
{
"type": "WEB",
"url": "https://pdf-complete.informer.com/download"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49558"
},
{
"type": "WEB",
"url": "https://www.pdfcomplete.com/cms/dpl/tabid/111/Default.aspx?r=du2vH8r"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/pdfcomplete-corporate-edition-pdfcdispatcher-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VP84-GQH8-X8V5
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one.
{
"affected": [],
"aliases": [
"CVE-2019-8459"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-20T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one.",
"id": "GHSA-vp84-gqh8-x8v5",
"modified": "2024-04-04T01:02:29Z",
"published": "2022-05-24T16:48:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8459"
},
{
"type": "WEB",
"url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk124972#Resolved%20Issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPRW-XVJ6-CHJQ
Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) before version 4.1.0.27 allows a local attacker to potentially execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2018-3668"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-10T21:29:00Z",
"severity": "HIGH"
},
"details": "Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) before version 4.1.0.27 allows a local attacker to potentially execute arbitrary code.",
"id": "GHSA-vprw-xvj6-chjq",
"modified": "2022-05-14T03:01:04Z",
"published": "2022-05-14T03:01:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3668"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00140.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ8R-FXMM-FVXP
Vulnerability from github – Published: 2025-12-12 00:30 – Updated: 2025-12-12 00:30Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations.
{
"affected": [],
"aliases": [
"CVE-2024-58288"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-11T22:15:49Z",
"severity": "HIGH"
},
"details": "Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations.",
"id": "GHSA-vq8r-fxmm-fvxp",
"modified": "2025-12-12T00:30:20Z",
"published": "2025-12-12T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58288"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/52065"
},
{
"type": "WEB",
"url": "https://www.genexus.com/en/developers/downloadcenter?data=;;"
},
{
"type": "WEB",
"url": "https://www.genexus.com/es"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/genexus-protection-server-unquoted-service-path-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.