CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-FJH2-7M7F-V25R
Vulnerability from github – Published: 2022-05-14 03:03 – Updated: 2022-05-14 03:03Untrusted search path vulnerability in the installer of FLET'S VIRUS CLEAR Easy Setup & Application Tool ver.13.0 and earlier versions and FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool ver.13.0 and earlier versions allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2018-0563"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-26T14:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in the installer of FLET\u0027S VIRUS CLEAR Easy Setup \u0026 Application Tool ver.13.0 and earlier versions and FLET\u0027S VIRUS CLEAR v6 Easy Setup \u0026 Application Tool ver.13.0 and earlier versions allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-fjh2-7m7f-v25r",
"modified": "2022-05-14T03:03:00Z",
"published": "2022-05-14T03:03:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0563"
},
{
"type": "WEB",
"url": "https://flets.com/customer/next/sec/setup/esat_install.html"
},
{
"type": "WEB",
"url": "https://flets.com/customer/tec/fvc/setup/esat_install.html"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN20040004/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJWH-37M4-WMR4
Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57Untrusted search path vulnerability in the installer of Visual Studio Code allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2018-0597"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-26T14:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in the installer of Visual Studio Code allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-fjwh-37m4-wmr4",
"modified": "2022-05-14T01:57:01Z",
"published": "2022-05-14T01:57:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0597"
},
{
"type": "WEB",
"url": "https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-planting-vulnerability"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN91151862/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104563"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FM94-QRGP-P6GF
Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43Untrusted search path vulnerability in Evernote for Windows versions prior to 6.3 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2016-4900"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-22T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Evernote for Windows versions prior to 6.3 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-fm94-qrgp-p6gf",
"modified": "2022-05-17T02:43:12Z",
"published": "2022-05-17T02:43:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4900"
},
{
"type": "WEB",
"url": "https://evernote.com/security/updates/#win"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN03251132/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000206"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93572"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMXC-P474-P2PP
Vulnerability from github – Published: 2025-01-15 21:31 – Updated: 2025-02-03 18:30An issue in the USB Autorun function of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to execute arbitrary code via uploading a crafted script from a USB device.
{
"affected": [],
"aliases": [
"CVE-2024-48123"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T21:15:13Z",
"severity": "HIGH"
},
"details": "An issue in the USB Autorun function of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to execute arbitrary code via uploading a crafted script from a USB device.",
"id": "GHSA-fmxc-p474-p2pp",
"modified": "2025-02-03T18:30:39Z",
"published": "2025-01-15T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48123"
},
{
"type": "WEB",
"url": "https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FPC5-QCVF-CR7W
Vulnerability from github – Published: 2022-05-14 01:34 – Updated: 2022-05-14 01:34Symantec Ghost Solution Suite (GSS) versions prior to 3.3 RU1 may be susceptible to a DLL hijacking vulnerability, which is a type of issue whereby a potential attacker attempts to execute unexpected code on your machine. This occurs via placement of a potentially foreign file (DLL) that the attacker then attempts to run via a linked application.
{
"affected": [],
"aliases": [
"CVE-2018-18364"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-08T17:29:00Z",
"severity": "HIGH"
},
"details": "Symantec Ghost Solution Suite (GSS) versions prior to 3.3 RU1 may be susceptible to a DLL hijacking vulnerability, which is a type of issue whereby a potential attacker attempts to execute unexpected code on your machine. This occurs via placement of a potentially foreign file (DLL) that the attacker then attempts to run via a linked application.",
"id": "GHSA-fpc5-qcvf-cr7w",
"modified": "2022-05-14T01:34:19Z",
"published": "2022-05-14T01:34:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18364"
},
{
"type": "WEB",
"url": "https://support.symantec.com/en_US/article.SYMSA1474.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106684"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FPG3-R4MV-G4M8
Vulnerability from github – Published: 2022-05-17 02:15 – Updated: 2022-05-17 02:15VIT Spider Player 2.5.3 has an untrusted search path, allowing DLL hijacking via a Trojan horse dwmapi.dll, olepro32.dll, dsound.dll, or AUDIOSES.dll file.
{
"affected": [],
"aliases": [
"CVE-2017-11748"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-30T16:29:00Z",
"severity": "HIGH"
},
"details": "VIT Spider Player 2.5.3 has an untrusted search path, allowing DLL hijacking via a Trojan horse dwmapi.dll, olepro32.dll, dsound.dll, or AUDIOSES.dll file.",
"id": "GHSA-fpg3-r4mv-g4m8",
"modified": "2022-05-17T02:15:36Z",
"published": "2022-05-17T02:15:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11748"
},
{
"type": "WEB",
"url": "http://blog.pentest.space/2017/07/spider-player-253-unsafe-dll-loading.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FPG4-8VX9-5M5W
Vulnerability from github – Published: 2022-05-14 00:57 – Updated: 2022-05-14 00:57BestXsoftware Best Free Keylogger before 6.0.0 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
{
"affected": [],
"aliases": [
"CVE-2018-18519"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-19T08:29:00Z",
"severity": "HIGH"
},
"details": "BestXsoftware Best Free Keylogger before 6.0.0 allows local users to gain privileges via a Trojan horse \"%PROGRAMFILES%\\BFK 5.2.9\\syscrb.exe\" file because of insecure permissions for the BUILTIN\\Users group.",
"id": "GHSA-fpg4-8vx9-5m5w",
"modified": "2022-05-14T00:57:48Z",
"published": "2022-05-14T00:57:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18519"
},
{
"type": "WEB",
"url": "https://github.com/ilsani/rd/tree/master/security-advisories/bestxsoftware/cve-2018-18519"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQ5G-2R8V-WMH7
Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27Untrusted search path vulnerability in Installer of Yahoo! Toolbar (for Internet explorer) v8.0.0.6 and earlier, with its timestamp prior to June 13, 2017, 18:18:55 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2253"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Installer of Yahoo! Toolbar (for Internet explorer) v8.0.0.6 and earlier, with its timestamp prior to June 13, 2017, 18:18:55 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-fq5g-2r8v-wmh7",
"modified": "2022-05-17T02:27:26Z",
"published": "2022-05-17T02:27:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2253"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN02852421/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQ9J-VW4W-FR6V
Vulnerability from github – Published: 2026-06-18 13:04 – Updated: 2026-06-18 13:04Summary
Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace .env in a repository opened by a trusted operator could influence which Python runtime gcloud used through CLOUDSDK_PYTHON.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could run setup through an unintended local Python path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.2.
Mitigations
run Gmail setup from trusted workspaces and clear workspace env overrides until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53842"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:04:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nWorkspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace `.env` in a repository opened by a trusted operator could influence which Python runtime `gcloud` used through `CLOUDSDK_PYTHON`.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could run setup through an unintended local Python path. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.2`.\n\n### Mitigations\n\nrun Gmail setup from trusted workspaces and clear workspace env overrides until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-fq9j-vw4w-fr6v",
"modified": "2026-06-18T13:04:09Z",
"published": "2026-06-18T13:04:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fq9j-vw4w-fr6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53842"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-python-runtime-execution-via-cloudsdk-python-environment-variable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution"
}
GHSA-FR4V-RQCF-22F4
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03Barco ClickShare Button R9861500D01 devices before 1.9.0 have Missing Support for Integrity Check. The Barco signed 'Clickshare_For_Windows.exe' binary on the ClickShare Button (R9861500D01) loads a number of DLL files dynamically without verifying their integrity.
{
"affected": [],
"aliases": [
"CVE-2019-18829"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-17T14:15:00Z",
"severity": "MODERATE"
},
"details": "Barco ClickShare Button R9861500D01 devices before 1.9.0 have Missing Support for Integrity Check. The Barco signed \u0027Clickshare_For_Windows.exe\u0027 binary on the ClickShare Button (R9861500D01) loads a number of DLL files dynamically without verifying their integrity.",
"id": "GHSA-fr4v-rqcf-22f4",
"modified": "2022-05-24T17:03:50Z",
"published": "2022-05-24T17:03:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18829"
},
{
"type": "WEB",
"url": "https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare"
},
{
"type": "WEB",
"url": "https://www.barco.com/en/clickshare/firmware-update"
},
{
"type": "WEB",
"url": "https://www.barco.com/en/clickshare/support/software/R33050069?majorVersion=01\u0026minorVersion=10\u0026patchVersion=00\u0026buildVersion=013"
},
{
"type": "WEB",
"url": "https://www.barco.com/en/clickshare/support/software/R33050070?majorVersion=01\u0026minorVersion=10\u0026patchVersion=00\u0026buildVersion=013"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.