CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-XG45-V5RP-R5M2
Vulnerability from github – Published: 2023-11-08 21:30 – Updated: 2023-11-16 18:30The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-0392"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-08T21:15:08Z",
"severity": "MODERATE"
},
"details": "The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution.",
"id": "GHSA-xg45-v5rp-r5m2",
"modified": "2023-11-16T18:30:25Z",
"published": "2023-11-08T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0392"
},
{
"type": "WEB",
"url": "https://trust.okta.com/security-advisories/okta-ldap-agent-cve-2023-0392"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGFF-3PMH-2J23
Vulnerability from github – Published: 2022-04-02 00:00 – Updated: 2022-04-09 00:00Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.
{
"affected": [],
"aliases": [
"CVE-2022-27964"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-31T23:15:00Z",
"severity": "MODERATE"
},
"details": "Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.",
"id": "GHSA-xgff-3pmh-2j23",
"modified": "2022-04-09T00:00:50Z",
"published": "2022-04-02T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27964"
},
{
"type": "WEB",
"url": "https://github.com/ycdxsb/Vuln/blob/main/NetSarang-CreateProcessW-Misuse-Binary-Hijack/Xmanager-CreateProcessW-Misuse-Binary-Hijack"
},
{
"type": "WEB",
"url": "https://www.netsarang.com/en/xmanager-update-history"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGQ4-GWMR-JVCM
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions.
{
"affected": [],
"aliases": [
"CVE-2023-54338"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:16:01Z",
"severity": "HIGH"
},
"details": "Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions.",
"id": "GHSA-xgq4-gwmr-jvcm",
"modified": "2026-01-14T00:31:29Z",
"published": "2026-01-14T00:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54338"
},
{
"type": "WEB",
"url": "https://pjo2.github.io/tftpd64"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51076"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tftpdse-tftpdsvc-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XM42-XFGP-MH86
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup.
{
"affected": [],
"aliases": [
"CVE-2022-50903"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:15:52Z",
"severity": "HIGH"
},
"details": "Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup.",
"id": "GHSA-xm42-xfgp-mh86",
"modified": "2026-01-14T00:31:27Z",
"published": "2026-01-14T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50903"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50756"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wondershare-mobiletrans-elevationservice-unquoted-service-path"
},
{
"type": "WEB",
"url": "https://www.wondershare.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XQGW-R8H6-587W
Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-24 00:00An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.
{
"affected": [],
"aliases": [
"CVE-2022-36344"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-16T08:15:00Z",
"severity": "CRITICAL"
},
"details": "An unquoted search path vulnerability exists in \u0027JustSystems JUST Online Update for J-License\u0027 bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.",
"id": "GHSA-xqgw-r8h6-587w",
"modified": "2022-08-24T00:00:31Z",
"published": "2022-08-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36344"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN57073973/index.html"
},
{
"type": "WEB",
"url": "https://www.justsystems.com/jp/corporate/info/js22001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRRP-V29C-5F2G
Vulnerability from github – Published: 2026-01-28 15:31 – Updated: 2026-01-28 15:31Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions.
{
"affected": [],
"aliases": [
"CVE-2020-36992"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T13:15:52Z",
"severity": "HIGH"
},
"details": "Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions.",
"id": "GHSA-xrrp-v29c-5f2g",
"modified": "2026-01-28T15:31:30Z",
"published": "2026-01-28T15:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36992"
},
{
"type": "WEB",
"url": "https://nordvpn.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48790"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nord-vpn-nordvpn-service-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XV37-J243-7JFV
Vulnerability from github – Published: 2023-05-24 00:30 – Updated: 2024-04-04 04:19Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService. This vulnerability allows attackers to launch processes with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2023-31747"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-23T23:15:09Z",
"severity": "HIGH"
},
"details": "Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService. This vulnerability allows attackers to launch processes with elevated privileges.",
"id": "GHSA-xv37-j243-7jfv",
"modified": "2024-04-04T04:19:19Z",
"published": "2023-05-24T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31747"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/172464/Filmora-12-Build-1.0.0.7-Unquoted-Service-Path.html"
},
{
"type": "WEB",
"url": "http://filmora.com"
},
{
"type": "WEB",
"url": "http://wondershare.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XVCC-CXHC-J68H
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Local attackers can place a malicious executable in the service path and execute code with LocalSystem privileges upon service restart or system reboot.
{
"affected": [],
"aliases": [
"CVE-2020-37254"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T15:16:34Z",
"severity": "HIGH"
},
"details": "Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Local attackers can place a malicious executable in the service path and execute code with LocalSystem privileges upon service restart or system reboot.",
"id": "GHSA-xvcc-cxhc-j68h",
"modified": "2026-06-19T15:33:19Z",
"published": "2026-06-19T15:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37254"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40535"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wondershare-pdfelement-privilege-escalation-via-unquoted-service-path"
},
{
"type": "WEB",
"url": "https://www.wondershare.com"
},
{
"type": "WEB",
"url": "http://download.wondershare.com/inst/pdfelement_setup_full1042.exe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XWJM-JCX5-9RRW
Vulnerability from github – Published: 2026-01-30 18:31 – Updated: 2026-01-30 18:31Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with LocalSystem permissions during service startup.
{
"affected": [],
"aliases": [
"CVE-2020-37030"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T17:16:11Z",
"severity": "HIGH"
},
"details": "Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\\Program Files (x86)\\Outline to inject malicious code that would execute with LocalSystem permissions during service startup.",
"id": "GHSA-xwjm-jcx5-9rrw",
"modified": "2026-01-30T18:31:15Z",
"published": "2026-01-30T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37030"
},
{
"type": "WEB",
"url": "https://getoutline.org/vi/home"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48414"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/outline-service-outline-service-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XX47-VFR9-X3X7
Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-21 18:30OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executables and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2021-47887"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T18:16:23Z",
"severity": "HIGH"
},
"details": "OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Okidata\\Print Job Accounting\\\u0027 to inject malicious executables and escalate privileges.",
"id": "GHSA-xx47-vfr9-x3x7",
"modified": "2026-01-21T18:30:32Z",
"published": "2026-01-21T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47887"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20211207181409/https://www.oki.com/me/printing/services-and-solutions/smart-solutions/print-job-accounting/index.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49623"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/print-job-accounting-okijasvc-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.