Common Weakness Enumeration

CWE-428

Allowed

Unquoted Search Path or Element

Abstraction: Base · Status: Draft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

761 vulnerabilities reference this CWE, most recent first.

GHSA-V9MC-W4G8-M32W

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59
VLAI
Details

Uncontrolled search path in some Intel(R) NUC Chaco Canyon BIOS update software before version iFlashV Windows 5.13.00.2105 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427",
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:13Z",
    "severity": "HIGH"
  },
  "details": "Uncontrolled search path in some Intel(R) NUC Chaco Canyon BIOS update software before version iFlashV Windows 5.13.00.2105 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-v9mc-w4g8-m32w",
  "modified": "2024-04-04T03:59:23Z",
  "published": "2023-05-10T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38101"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00780.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCPC-5M37-QV5V

Vulnerability from github – Published: 2025-11-05 09:30 – Updated: 2025-11-05 09:30
VLAI
Details

Optical Disc Archive Software provided by Sony Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-05T07:15:33Z",
    "severity": "HIGH"
  },
  "details": "Optical Disc Archive Software provided by Sony Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.",
  "id": "GHSA-vcpc-5m37-qv5v",
  "modified": "2025-11-05T09:30:25Z",
  "published": "2025-11-05T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62225"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN81917433"
    },
    {
      "type": "WEB",
      "url": "https://www.sony.jp/oda/application/?srsltid=AfmBOoo8t7k-alQo7ZnV2MAhq8qfIJtFOJN41U2Tu-B1yrpx3Y_KHurk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VCQW-5625-54XG

Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33
VLAI
Details

Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-19T15:16:34Z",
    "severity": "HIGH"
  },
  "details": "Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.",
  "id": "GHSA-vcqw-5625-54xg",
  "modified": "2026-06-19T15:33:18Z",
  "published": "2026-06-19T15:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37253"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49004"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/winstep-unquoted-service-path-privilege-escalation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VCW8-RV56-C6JQ

Vulnerability from github – Published: 2022-04-02 00:00 – Updated: 2022-04-09 00:00
VLAI
Details

Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-31T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.",
  "id": "GHSA-vcw8-rv56-c6jq",
  "modified": "2022-04-09T00:00:50Z",
  "published": "2022-04-02T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ycdxsb/Vuln/tree/main/NetSarang-CreateProcessW-Misuse-Binary-Hijack/Xlpd-CreateProcessW-Misuse-Binary-Hijack"
    },
    {
      "type": "WEB",
      "url": "https://www.netsarang.com/en/xlpd-update-history"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCXH-HFRR-5F7F

Vulnerability from github – Published: 2023-03-16 12:30 – Updated: 2023-03-22 18:30
VLAI
Details

VX Search v13.8 and v14.7 was discovered to contain an unquoted service path vulnerability which allows attackers to execute arbitrary commands at elevated privileges via a crafted executable file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-16T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "VX Search v13.8 and v14.7 was discovered to contain an unquoted service path vulnerability which allows attackers to execute arbitrary commands at elevated privileges via a crafted executable file.",
  "id": "GHSA-vcxh-hfrr-5f7f",
  "modified": "2023-03-22T18:30:39Z",
  "published": "2023-03-16T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24671"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/171300/VX-Search-13.8-Unquoted-Service-Path.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJVV-QRP6-VQ73

Vulnerability from github – Published: 2026-01-16 00:30 – Updated: 2026-01-16 00:30
VLAI
Details

Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T00:16:25Z",
    "severity": "HIGH"
  },
  "details": "Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Disk Sorter Enterprise\\bin\\disksrs.exe\u0027 to inject malicious executables and escalate privileges.",
  "id": "GHSA-vjvv-qrp6-vq73",
  "modified": "2026-01-16T00:30:55Z",
  "published": "2026-01-16T00:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47809"
    },
    {
      "type": "WEB",
      "url": "https://www.disksorter.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50014"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/disk-sorter-enterprise-disk-sorter-enterprise-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VM63-8W76-P82F

Vulnerability from github – Published: 2026-01-23 18:31 – Updated: 2026-01-23 18:31
VLAI
Details

PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T17:15:58Z",
    "severity": "HIGH"
  },
  "details": "PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges.",
  "id": "GHSA-vm63-8w76-p82f",
  "modified": "2026-01-23T18:31:29Z",
  "published": "2026-01-23T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47896"
    },
    {
      "type": "WEB",
      "url": "https://pdf-complete.informer.com/download"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49558"
    },
    {
      "type": "WEB",
      "url": "https://www.pdfcomplete.com/cms/dpl/tabid/111/Default.aspx?r=du2vH8r"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/pdfcomplete-corporate-edition-pdfcdispatcher-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VP84-GQH8-X8V5

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02
VLAI
Details

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-20T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one.",
  "id": "GHSA-vp84-gqh8-x8v5",
  "modified": "2024-04-04T01:02:29Z",
  "published": "2022-05-24T16:48:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8459"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk124972#Resolved%20Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPRW-XVJ6-CHJQ

Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01
VLAI
Details

Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) before version 4.1.0.27 allows a local attacker to potentially execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-10T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) before version 4.1.0.27 allows a local attacker to potentially execute arbitrary code.",
  "id": "GHSA-vprw-xvj6-chjq",
  "modified": "2022-05-14T03:01:04Z",
  "published": "2022-05-14T03:01:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3668"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00140.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ8R-FXMM-FVXP

Vulnerability from github – Published: 2025-12-12 00:30 – Updated: 2025-12-12 00:30
VLAI
Details

Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T22:15:49Z",
    "severity": "HIGH"
  },
  "details": "Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations.",
  "id": "GHSA-vq8r-fxmm-fvxp",
  "modified": "2025-12-12T00:30:20Z",
  "published": "2025-12-12T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58288"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/52065"
    },
    {
      "type": "WEB",
      "url": "https://www.genexus.com/en/developers/downloadcenter?data=;;"
    },
    {
      "type": "WEB",
      "url": "https://www.genexus.com/es"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/genexus-protection-server-unquoted-service-path-privilege-escalation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Properly quote the full search path before executing a program on the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.