CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-MWQ2-V3H2-Q84R
Vulnerability from github – Published: 2024-03-12 15:32 – Updated: 2024-03-12 15:32A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. This vulnerability affects the DFServ.exe file. An attacker with local user privileges could exploit this vulnerability to replace the legitimate DFServ.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. Thus, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system or stop the service from running.
{
"affected": [],
"aliases": [
"CVE-2024-1618"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T15:15:48Z",
"severity": "HIGH"
},
"details": "A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. This vulnerability affects the DFServ.exe file.\u00a0An attacker with local user privileges could exploit this vulnerability to replace the legitimate DFServ.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory.\u00a0Thus, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system or stop the service from running.",
"id": "GHSA-mwq2-v3h2-q84r",
"modified": "2024-03-12T15:32:21Z",
"published": "2024-03-12T15:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1618"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unquoted-item-or-search-path-vulnerability-faronics-deep-freeze-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MWW5-Q78W-FFPV
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2026-05-28 18:30Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.
{
"affected": [],
"aliases": [
"CVE-2014-5455"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-08-25T16:55:00Z",
"severity": "MODERATE"
},
"details": "Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.",
"id": "GHSA-mww5-q78w-ffpv",
"modified": "2026-05-28T18:30:24Z",
"published": "2022-05-13T01:26:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5455"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/pull/3909"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/pull/3909/commits/ace34f1cf94602f31760d3eb7ae68e17df8f914d"
},
{
"type": "WEB",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05325943"
},
{
"type": "WEB",
"url": "http://osvdb.org/show/osvdb/109007"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/127439/OpenVPN-Private-Tunnel-Privilege-Escalation.html"
},
{
"type": "WEB",
"url": "http://www.exploit-db.com/exploits/34037"
},
{
"type": "WEB",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5192.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MXF4-GXW9-74F4
Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-13 00:00An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.
{
"affected": [],
"aliases": [
"CVE-2021-43458"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-04T15:15:00Z",
"severity": "HIGH"
},
"details": "An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.",
"id": "GHSA-mxf4-gxw9-74f4",
"modified": "2022-04-13T00:00:49Z",
"published": "2022-04-05T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43458"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198151"
},
{
"type": "WEB",
"url": "https://github.com/M507/Miner"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49641"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXJ5-2P9R-3838
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.
{
"affected": [],
"aliases": [
"CVE-2017-20218"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:17:51Z",
"severity": "HIGH"
},
"details": "Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.",
"id": "GHSA-mxj5-2p9r-3838",
"modified": "2026-03-16T15:30:41Z",
"published": "2026-03-16T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20218"
},
{
"type": "WEB",
"url": "https://blogs.securiteam.com/index.php/archives/3094"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2017050019"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125644"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/142384"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/41959"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/serviio-pro-local-privilege-escalation-via-unquoted-path"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5405.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MXMC-G5XC-MM3G
Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2021-47847"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T19:16:10Z",
"severity": "HIGH"
},
"details": "Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Disk Sorter Server\\bin\\disksrs.exe\u0027 to inject malicious executables and escalate privileges.",
"id": "GHSA-mxmc-g5xc-mm3g",
"modified": "2026-01-16T21:30:37Z",
"published": "2026-01-16T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47847"
},
{
"type": "WEB",
"url": "https://www.disksorter.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50013"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/disk-sorter-server-disk-sorter-server-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MXXM-GRWW-GXGP
Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-12 00:00An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.394 via a specially crafted file in the ATService path. .
{
"affected": [],
"aliases": [
"CVE-2021-43454"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-04T15:15:00Z",
"severity": "HIGH"
},
"details": "An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.394 via a specially crafted file in the ATService path. .",
"id": "GHSA-mxxm-grww-gxgp",
"modified": "2022-04-12T00:00:56Z",
"published": "2022-04-05T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43454"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196532"
},
{
"type": "WEB",
"url": "https://github.com/M507/Miner"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49549"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P229-4HC8-7FPX
Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service's execution context.
{
"affected": [],
"aliases": [
"CVE-2019-25275"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T00:15:52Z",
"severity": "HIGH"
},
"details": "BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service\u0027s execution context.",
"id": "GHSA-p229-4hc8-7fpx",
"modified": "2026-02-05T00:31:01Z",
"published": "2026-02-05T00:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25275"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47675"
},
{
"type": "WEB",
"url": "https://www.filehorse.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bartvpn-bartvpnservice-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P267-5W4M-PPRH
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-02-10 00:00A local unquoted search path security vulnerability has been identified in HPE Agentless Management Service for Windows version(s): Prior to 1.44.0.0, 10.96.0.0. This vulnerability could be exploited locally by a user with high privileges to execute malware that may lead to a loss of confidentiality, integrity, and availability. HPE has provided software updates to resolve the vulnerability in HPE Agentless Management Service for Windows.
{
"affected": [],
"aliases": [
"CVE-2021-29218"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "MODERATE"
},
"details": "A local unquoted search path security vulnerability has been identified in HPE Agentless Management Service for Windows version(s): Prior to 1.44.0.0, 10.96.0.0. This vulnerability could be exploited locally by a user with high privileges to execute malware that may lead to a loss of confidentiality, integrity, and availability. HPE has provided software updates to resolve the vulnerability in HPE Agentless Management Service for Windows.",
"id": "GHSA-p267-5w4m-pprh",
"modified": "2022-02-10T00:00:42Z",
"published": "2022-02-10T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29218"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbgn04233en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P2MJ-Q764-7J4J
Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-21 18:30WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files \WINPAKPRO\ScheduleService Service.exe' to inject malicious code that would execute during service startup.
{
"affected": [],
"aliases": [
"CVE-2021-47867"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T18:16:18Z",
"severity": "HIGH"
},
"details": "WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in \u0027C:\\Program Files \u003cx86\u003e\\WINPAKPRO\\ScheduleService Service.exe\u0027 to inject malicious code that would execute during service startup.",
"id": "GHSA-p2mj-q764-7j4j",
"modified": "2026-01-21T18:30:31Z",
"published": "2026-01-21T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47867"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49691"
},
{
"type": "WEB",
"url": "https://www.security.honeywell.com/product-repository/winpak"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/win-pack-pro-scheduleservice-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P35X-5893-X6GP
Vulnerability from github – Published: 2024-02-19 06:30 – Updated: 2025-03-25 18:30An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.
{
"affected": [],
"aliases": [
"CVE-2024-24722"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-19T06:15:07Z",
"severity": "CRITICAL"
},
"details": "An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.",
"id": "GHSA-p35x-5893-x6gp",
"modified": "2025-03-25T18:30:25Z",
"published": "2024-02-19T06:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24722"
},
{
"type": "WEB",
"url": "https://files.12dsynergy.com/downloads/download.aspx"
},
{
"type": "WEB",
"url": "https://help.12dsynergy.com/v1/docs/cve-2024-24722"
},
{
"type": "WEB",
"url": "https://www.12dsynergy.com/security-statement"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.