CWE-428
AllowedUnquoted Search Path or Element
Abstraction: Base · Status: Draft
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
761 vulnerabilities reference this CWE, most recent first.
GHSA-CXV6-8QC3-GF8H
Vulnerability from github – Published: 2026-01-21 18:30 – Updated: 2026-01-21 18:30Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot.
{
"affected": [],
"aliases": [
"CVE-2021-47880"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T18:16:22Z",
"severity": "HIGH"
},
"details": "Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot.",
"id": "GHSA-cxv6-8qc3-gf8h",
"modified": "2026-01-21T18:30:31Z",
"published": "2026-01-21T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47880"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49646"
},
{
"type": "WEB",
"url": "https://www.realtek.com/en"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/realtek-wireless-lan-utility-realteknsu-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F2VM-77F3-VPCQ
Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-05-27 00:00MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
{
"affected": [],
"aliases": [
"CVE-2022-29320"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.",
"id": "GHSA-f2vm-77f3-vpcq",
"modified": "2022-05-27T00:00:56Z",
"published": "2022-05-21T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29320"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50859"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3GP-77FQ-586M
Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-13 18:30Unquoted search path within AIM-T Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2024-36321"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T17:15:50Z",
"severity": "HIGH"
},
"details": "Unquoted search path within AIM-T Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution.",
"id": "GHSA-f3gp-77fq-586m",
"modified": "2025-05-13T18:30:53Z",
"published": "2025-05-13T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36321"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-9015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F43W-MFRF-MV66
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.
{
"affected": [],
"aliases": [
"CVE-2020-13699"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-29T16:15:00Z",
"severity": "MODERATE"
},
"details": "TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.",
"id": "GHSA-f43w-mfrf-mv66",
"modified": "2022-05-24T17:24:36Z",
"published": "2022-05-24T17:24:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13699"
},
{
"type": "WEB",
"url": "https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448"
},
{
"type": "WEB",
"url": "https://jeffs.sh/CVEs/CVE-2020-13699.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F4JG-44MW-M46M
Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup.
{
"affected": [],
"aliases": [
"CVE-2019-25281"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T00:15:52Z",
"severity": "HIGH"
},
"details": "NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup.",
"id": "GHSA-f4jg-44mw-m46m",
"modified": "2026-02-05T00:31:01Z",
"published": "2026-02-05T00:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25281"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47668"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/ncpsecureentryclient-unquoted-service-paths"
},
{
"type": "WEB",
"url": "http://software.ncp-e.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F537-RHM6-GC65
Vulnerability from github – Published: 2024-06-18 00:31 – Updated: 2024-11-04 21:30A vulnerability classified as critical was found in Intelbras InControl 2.21.56. This vulnerability affects unknown code. The manipulation leads to unquoted search path. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. VDB-268822 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-6080"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-17T23:15:51Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as critical was found in Intelbras InControl 2.21.56. This vulnerability affects unknown code. The manipulation leads to unquoted search path. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. VDB-268822 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-f537-rhm6-gc65",
"modified": "2024-11-04T21:30:26Z",
"published": "2024-06-18T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6080"
},
{
"type": "WEB",
"url": "https://backend.intelbras.com/sites/default/files/2024-10/Aviso%20de%20Seguran%C3%A7a%20-%20Incontrol%202.21.56%20e%202.21.57.pdf"
},
{
"type": "WEB",
"url": "https://download.cronos.intelbras.com.br/download/INCONTROL/INCONTROL-WEB/prod/INCONTROL-WEB-2.21.58-233dfd1ac1e2ca3eabb71c854005c78b.exe"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.268822"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.268822"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.353502"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F6PX-3VVF-Q83R
Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access.
{
"affected": [],
"aliases": [
"CVE-2021-47792"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T00:16:23Z",
"severity": "HIGH"
},
"details": "Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access.",
"id": "GHSA-f6px-3vvf-q83r",
"modified": "2026-01-16T00:30:55Z",
"published": "2026-01-16T00:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47792"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50258"
},
{
"type": "WEB",
"url": "https://www.remotemouse.net"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/remote-mouse-unquoted-service-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F7M8-G3G3-P9RF
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate directories. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with LocalSystem privileges when the service starts or restarts.
{
"affected": [],
"aliases": [
"CVE-2019-25747"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T15:16:33Z",
"severity": "HIGH"
},
"details": "Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate directories. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with LocalSystem privileges when the service starts or restarts.",
"id": "GHSA-f7m8-g3g3-p9rf",
"modified": "2026-06-19T15:33:18Z",
"published": "2026-06-19T15:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25747"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47584"
},
{
"type": "WEB",
"url": "https://www.network-inventory-advisor.com"
},
{
"type": "WEB",
"url": "https://www.network-inventory-advisor.com/download.html"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/network-inventory-advisor-unquoted-service-path-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F7V6-Q2XX-GH48
Vulnerability from github – Published: 2022-05-14 03:09 – Updated: 2022-05-14 03:09The OPC Foundation Local Discovery Server (LDS) before 1.03.367 is installed as a Windows Service without adding double quotes around the opcualds.exe executable path, which might allow local users to gain privileges.
{
"affected": [],
"aliases": [
"CVE-2017-11672"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-13T18:29:00Z",
"severity": "HIGH"
},
"details": "The OPC Foundation Local Discovery Server (LDS) before 1.03.367 is installed as a Windows Service without adding double quotes around the opcualds.exe executable path, which might allow local users to gain privileges.",
"id": "GHSA-f7v6-q2xx-gh48",
"modified": "2022-05-14T03:09:40Z",
"published": "2022-05-14T03:09:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11672"
},
{
"type": "WEB",
"url": "https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2017-11672.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F86Q-56FJ-V562
Vulnerability from github – Published: 2025-03-12 18:32 – Updated: 2025-03-12 18:32Unquoted Search Path or Element vulnerability in OpenText™ Service Manager.
The vulnerability could allow a user to gain SYSTEM privileges through Privilege Escalation.
This issue affects Service Manager: 9.70, 9.71, 9.72.
{
"affected": [],
"aliases": [
"CVE-2025-0884"
],
"database_specific": {
"cwe_ids": [
"CWE-428"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T16:15:20Z",
"severity": "HIGH"
},
"details": "Unquoted Search Path or Element vulnerability in OpenText\u2122 Service Manager.\u00a0\n\nThe vulnerability could allow a user to gain SYSTEM privileges through Privilege Escalation.\n\nThis issue affects Service Manager: 9.70, 9.71, 9.72.",
"id": "GHSA-f86q-56fj-v562",
"modified": "2025-03-12T18:32:52Z",
"published": "2025-03-12T18:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0884"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000036731?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:A/V:C/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
Mitigation
Properly quote the full search path before executing a program on the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.