CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-QQFG-FRWJ-847V
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03Untrusted search path vulnerability in Microsoft Internet Explorer 9 on Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains an HTML file, aka "Internet Explorer Insecure Library Loading Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2011-2019"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-12-14T00:55:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Microsoft Internet Explorer 9 on Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains an HTML file, aka \"Internet Explorer Insecure Library Loading Vulnerability.\"",
"id": "GHSA-qqfg-frwj-847v",
"modified": "2022-05-13T01:03:26Z",
"published": "2022-05-13T01:03:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2019"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-099"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13884"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA11-347A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QQHF-V97G-RHW4
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2024-04-04 02:40Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.
{
"affected": [],
"aliases": [
"CVE-2019-16861"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-19T13:15:00Z",
"severity": "HIGH"
},
"details": "Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.",
"id": "GHSA-qqhf-v97g-rhw4",
"modified": "2024-04-04T02:40:04Z",
"published": "2022-05-24T17:01:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16861"
},
{
"type": "WEB",
"url": "https://code42.com/r/support/CVE-2019-16861"
},
{
"type": "WEB",
"url": "https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QR57-C849-39J8
Vulnerability from github – Published: 2022-05-14 03:37 – Updated: 2022-05-14 03:37An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking.
{
"affected": [],
"aliases": [
"CVE-2018-7484"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-26T02:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking.",
"id": "GHSA-qr57-c849-39j8",
"modified": "2022-05-14T03:37:08Z",
"published": "2022-05-14T03:37:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7484"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/archive/1/541803"
},
{
"type": "WEB",
"url": "http://www.defensecode.com/advisories/DC-2018-02-001-PureVPN-Windows-Privilege-Escalation.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRHF-Q88M-C43R
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39Untrusted search path vulnerability in the installer of SKYSEA Client View Ver.1.020.05b to Ver.16.001.01g allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2021-20616"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T10:15:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in the installer of SKYSEA Client View Ver.1.020.05b to Ver.16.001.01g allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-qrhf-q88m-c43r",
"modified": "2022-05-24T17:39:12Z",
"published": "2022-05-24T17:39:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20616"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN69635538/index.html"
},
{
"type": "WEB",
"url": "https://www.skyseaclientview.net/news/210112_01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV42-RGF2-JWRJ
Vulnerability from github – Published: 2024-07-09 21:30 – Updated: 2024-07-09 21:30Premiere Pro versions 23.6.5, 24.4.1 and earlier are affected by an Untrusted Search Path vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by inserting a malicious file into the search path, which the application might execute instead of the legitimate file. This could occur when the application uses a search path to locate executables or libraries. Exploitation of this issue requires user interaction, attack complexity is high.
{
"affected": [],
"aliases": [
"CVE-2024-34123"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T19:15:11Z",
"severity": "HIGH"
},
"details": "Premiere Pro versions 23.6.5, 24.4.1 and earlier are affected by an Untrusted Search Path vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by inserting a malicious file into the search path, which the application might execute instead of the legitimate file. This could occur when the application uses a search path to locate executables or libraries. Exploitation of this issue requires user interaction, attack complexity is high.",
"id": "GHSA-qv42-rgf2-jwrj",
"modified": "2024-07-09T21:30:35Z",
"published": "2024-07-09T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34123"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/premiere_pro/apsb24-46.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX58-8PV8-9QJC
Vulnerability from github – Published: 2022-05-14 03:51 – Updated: 2022-05-14 03:51Untrusted search path vulnerability in Content Manager Assistant for PlayStation version 3.55.7671.0901 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-17010"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-27T17:08:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Content Manager Assistant for PlayStation version 3.55.7671.0901 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-qx58-8pv8-9qjc",
"modified": "2022-05-14T03:51:04Z",
"published": "2022-05-14T03:51:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17010"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN95423049/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R236-5PC3-3QCP
Vulnerability from github – Published: 2026-06-11 20:33 – Updated: 2026-06-11 20:33Aurora PostgreSQL is a fully managed relational database engine that's compatible with PostgreSQL.
An issue in Aurora PostgreSQL using the AWS Go Wrapper waa identified, see CVE-2026-11401.
Impact An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.
Impacted versions: AWS Go Wrapper 2026-04-06
Patches This issue has been addressed in AWS Go Wrapper 2026-05-26. Maintainers recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds Remove the public schema from the search path.
References If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/awssql/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.06"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/xray"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.07"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/aws-secrets-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/custom-endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/federated-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/iam"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/mysql-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/okta"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/pgx-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/otlp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/auth-helpers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-11401"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T20:33:12Z",
"nvd_published_at": "2026-06-05T20:17:28Z",
"severity": "HIGH"
},
"details": "Aurora PostgreSQL is a fully managed relational database engine that\u0027s compatible with PostgreSQL.\n\nAn issue in Aurora PostgreSQL using the AWS Go Wrapper waa identified, see CVE-2026-11401.\n\n\nImpact\nAn issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.\n\nImpacted versions: AWS Go Wrapper 2026-04-06\n\nPatches\nThis issue has been addressed in AWS Go Wrapper 2026-05-26. Maintainers recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. \n\nWorkarounds\nRemove the public schema from the search path.\n\nReferences\nIf there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-r236-5pc3-3qcp",
"modified": "2026-06-11T20:33:12Z",
"published": "2026-06-11T20:33:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-r236-5pc3-3qcp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11401"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-039-aws"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-advanced-go-wrapper"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-go-wrapper/releases/tag/release-2026-05-26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance"
}
GHSA-R23G-J848-X8P6
Vulnerability from github – Published: 2023-04-04 15:30 – Updated: 2023-04-11 21:31An issue found in Wondershare Technology Co.,Ltd PDFelement v9.1.1 allows a remote attacker to execute arbitrary commands via the pdfelement-pro_setup_full5239.exe file.
{
"affected": [],
"aliases": [
"CVE-2023-27768"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-04T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue found in Wondershare Technology Co.,Ltd PDFelement v9.1.1 allows a remote attacker to execute arbitrary commands via the pdfelement-pro_setup_full5239.exe file.",
"id": "GHSA-r23g-j848-x8p6",
"modified": "2023-04-11T21:31:09Z",
"published": "2023-04-04T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27768"
},
{
"type": "WEB",
"url": "https://github.com/liong007/Wondershare/issues/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R2MH-QJGM-RJ3J
Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2022-05-14 03:15AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability exists because a DLL file is loaded by 'pbxsetup.exe' improperly.
{
"affected": [],
"aliases": [
"CVE-2018-11551"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-01T17:29:00Z",
"severity": "HIGH"
},
"details": "AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability exists because a DLL file is loaded by \u0027pbxsetup.exe\u0027 improperly.",
"id": "GHSA-r2mh-qjgm-rj3j",
"modified": "2022-05-14T03:15:04Z",
"published": "2022-05-14T03:15:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11551"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/May/69"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R2P2-727J-VWQW
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Prior to 16.0.18 allows local users to execute arbitrary code via execution from a compromised folder.
{
"affected": [],
"aliases": [
"CVE-2019-3587"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-23T15:29:00Z",
"severity": "MODERATE"
},
"details": "DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Prior to 16.0.18 allows local users to execute arbitrary code via execution from a compromised folder.",
"id": "GHSA-r2p2-727j-vwqw",
"modified": "2022-05-13T01:31:18Z",
"published": "2022-05-13T01:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3587"
},
{
"type": "WEB",
"url": "http://service.mcafee.com/FAQDocument.aspx?\u0026id=TS102887"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.