CWE-427
Allowed-with-ReviewUncontrolled Search Path Element
Abstraction: Base · Status: Draft
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
1784 vulnerabilities reference this CWE, most recent first.
GHSA-V33Q-GRX6-58X9
Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-15 19:00An Uncontrolled Search Path Element in Foxit Software released Foxit Reader v11.2.118.51569 allows attackers to escalate privileges when searching for DLL libraries without specifying an absolute path.
{
"affected": [],
"aliases": [
"CVE-2022-43310"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-09T21:15:00Z",
"severity": "HIGH"
},
"details": "An Uncontrolled Search Path Element in Foxit Software released Foxit Reader v11.2.118.51569 allows attackers to escalate privileges when searching for DLL libraries without specifying an absolute path.",
"id": "GHSA-v33q-grx6-58x9",
"modified": "2022-11-15T19:00:52Z",
"published": "2022-11-10T12:01:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43310"
},
{
"type": "WEB",
"url": "https://github.com/hxxt9049/futing"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.cn/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V36Q-QX7X-FWF9
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-15 18:30HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.
{
"affected": [],
"aliases": [
"CVE-2022-38395"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "HIGH"
},
"details": "HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.",
"id": "GHSA-v36q-qx7x-fwf9",
"modified": "2022-12-15T18:30:25Z",
"published": "2022-12-12T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38395"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_6788123-6788147-16/hpsbhf03809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V377-GG5V-M3PQ
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from the affected component searching for run-time artifacts outside of the installation hierarchy. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.5.0 and below, TIBCO FTL - Developer Edition: versions 6.5.0 and below, and TIBCO FTL - Enterprise Edition: versions 6.5.0 and below.
{
"affected": [],
"aliases": [
"CVE-2021-28820"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-23T21:15:00Z",
"severity": "HIGH"
},
"details": "The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from the affected component searching for run-time artifacts outside of the installation hierarchy. Affected releases are TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition: versions 6.5.0 and below, TIBCO FTL - Developer Edition: versions 6.5.0 and below, and TIBCO FTL - Enterprise Edition: versions 6.5.0 and below.",
"id": "GHSA-v377-gg5v-m3pq",
"modified": "2022-05-24T17:45:06Z",
"published": "2022-05-24T17:45:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28820"
},
{
"type": "WEB",
"url": "http://www.tibco.com/services/support/advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V4F4-23WC-99MH
Vulnerability from github – Published: 2023-06-30 21:30 – Updated: 2024-10-11 21:25A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pipreqs"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.4.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31543"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T22:12:37Z",
"nvd_published_at": "2023-06-30T20:15:09Z",
"severity": "CRITICAL"
},
"details": "A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.",
"id": "GHSA-v4f4-23wc-99mh",
"modified": "2024-10-11T21:25:16Z",
"published": "2023-06-30T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31543"
},
{
"type": "WEB",
"url": "https://github.com/bndr/pipreqs/pull/364"
},
{
"type": "WEB",
"url": "https://github.com/bndr/pipreqs/commit/3f5964fcb90ec6eb6df46d78e651a1b73538d0ba"
},
{
"type": "WEB",
"url": "https://gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe"
},
{
"type": "PACKAGE",
"url": "https://github.com/bndr/pipreqs"
},
{
"type": "WEB",
"url": "https://github.com/bndr/pipreqs/blob/master/pipreqs/pipreqs.py#L447-L449"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pipreqs/PYSEC-2023-99.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pipreqs vulnerable to Dependency Confusion"
}
GHSA-V4RQ-RQ59-HGX8
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A vulnerability in the loading mechanism of specific DLLs in the Cisco Webex Teams client for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker needs valid credentials on the Windows system. The vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user’s account.
{
"affected": [],
"aliases": [
"CVE-2020-3535"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-08T05:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the loading mechanism of specific DLLs in the Cisco Webex Teams client for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker needs valid credentials on the Windows system. The vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user\u0026rsquo;s account.",
"id": "GHSA-v4rq-rq59-hgx8",
"modified": "2022-05-24T17:30:21Z",
"published": "2022-05-24T17:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3535"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-dll-drsnH5AN"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V4WC-276H-MCM2
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-04-19 00:01A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files through PDF earlier than 9.0.7 version.
{
"affected": [],
"aliases": [
"CVE-2021-40161"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T19:15:00Z",
"severity": "HIGH"
},
"details": "A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files through PDF earlier than 9.0.7 version.",
"id": "GHSA-v4wc-276h-mcm2",
"modified": "2022-04-19T00:01:45Z",
"published": "2021-12-24T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40161"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V4WF-G3GR-3X2H
Vulnerability from github – Published: 2026-01-21 09:31 – Updated: 2026-02-24 15:30The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed.
{
"affected": [],
"aliases": [
"CVE-2026-24016"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T08:15:59Z",
"severity": "HIGH"
},
"details": "The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed.",
"id": "GHSA-v4wf-g3gr-3x2h",
"modified": "2026-02-24T15:30:27Z",
"published": "2026-01-21T09:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24016"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN65211823"
},
{
"type": "WEB",
"url": "https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-ISS-2026-012107-Security-Notice.pdf"
},
{
"type": "WEB",
"url": "https://www.fsastech.com/ja-jp/resources/security/2026/0121.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V5GJ-GR4G-9RMQ
Vulnerability from github – Published: 2023-11-30 21:30 – Updated: 2023-12-06 18:31An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory.
{
"affected": [],
"aliases": [
"CVE-2023-47452"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T21:15:08Z",
"severity": "HIGH"
},
"details": "An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory.",
"id": "GHSA-v5gj-gr4g-9rmq",
"modified": "2023-12-06T18:31:05Z",
"published": "2023-11-30T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47452"
},
{
"type": "WEB",
"url": "https://github.com/xieqiang11/poc-1/tree/main"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V5J3-VP2M-WG9G
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40A DLL hijacking vulnerability Trend Micro HouseCall for Home Networks version 5.3.1063 and below could allow an attacker to use a malicious DLL to escalate privileges and perform arbitrary code execution. An attacker must already have user privileges on the machine to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-25247"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-27T19:15:00Z",
"severity": "HIGH"
},
"details": "A DLL hijacking vulnerability Trend Micro HouseCall for Home Networks version 5.3.1063 and below could allow an attacker to use a malicious DLL to escalate privileges and perform arbitrary code execution. An attacker must already have user privileges on the machine to exploit this vulnerability.",
"id": "GHSA-v5j3-vp2m-wg9g",
"modified": "2022-05-24T17:40:28Z",
"published": "2022-05-24T17:40:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25247"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10180"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V5JG-GCMJ-9JG6
Vulnerability from github – Published: 2025-07-17 21:32 – Updated: 2025-07-17 21:32A DLL hijacking vulnerability was reported in TrackPoint Quick Menu software that, under certain conditions, could allow a local attacker to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2025-1729"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-17T20:15:28Z",
"severity": "MODERATE"
},
"details": "A DLL hijacking vulnerability was reported in TrackPoint Quick Menu software that, under certain conditions, could allow a local attacker to escalate privileges.",
"id": "GHSA-v5jg-gcmj-9jg6",
"modified": "2025-07-17T21:32:15Z",
"published": "2025-07-17T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1729"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-189489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Strategy: Attack Surface Reduction
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Strategy: Attack Surface Reduction
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.