CWE-426
Untrusted Search Path
BaseStableLikelihood: High
Description
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-38
CVEs mapped to this weakness (241)
page 1 of 13| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-12414 | Cri | 0.64 | 9.8 | 0.00 | Aug 3, 2017 | Format Factory 4.1.0 has a DLL Hijacking Vulnerability because an untrusted search path is used for msimg32.dll, WindowsCodecs.dll, and dwmapi.dll. | |
| CVE-2017-2225 | Cri | 0.64 | 9.8 | 0.01 | Jul 7, 2017 | Untrusted search path vulnerability in EbidSettingChecker.exe (version 1.0.0.0) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |
| CVE-2012-1854 | Hig | 0.63 | 7.8 | 0.05 | KEV | Jul 10, 2012 | Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012. |
| CVE-2025-65078 | Cri | 0.60 | — | 0.00 | Feb 3, 2026 | An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. | |
| CVE-2025-23266 | Cri | 0.59 | 9.0 | 0.00 | Jul 17, 2025 | NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service. | |
| CVE-2025-4971 | Hig | 0.58 | — | 0.01 | May 20, 2025 | Broadcom Automic Automation Agent Unix versions < 24.3.0 HF4 and < 21.0.13 HF1 allow low privileged users who have execution rights on the agent executable to escalate their privileges. | |
| CVE-2017-2149 | Hig | 0.58 | 8.8 | 0.08 | Apr 28, 2017 | Untrusted search path vulnerability in installers of the software for SDHC/SDXC Memory Card with embedded NFC functionality Software Update Tool V1.00.03 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Configuration Software V3.0.2 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WE series<W-03>) V3.00.01, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WD/WC series<W-02>) V2.00.03 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WB/WL series) V1.00.04 and earlier, SDHC Memory Card with embedded TransferJet functionality Configuration Software V1.02 and earlier, SDHC Memory Card with embedded TransferJet functionality Software Update tool V1.00.06 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory. | |
| CVE-2016-1417 | Hig | 0.58 | 8.8 | 0.04 | Jan 23, 2017 | Untrusted search path vulnerability in Snort 2.9.7.0-WIN32 allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse tcapi.dll that is located in the same folder on a remote file share as a pcap file that is being processed. | |
| CVE-2026-24070 | Hig | 0.57 | 8.8 | 0.00 | Feb 2, 2026 | During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: "anchor trusted and certificate leaf[subject.CN] = \"Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)\"" The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers. | |
| CVE-2017-2207 | Hig | 0.57 | 8.8 | 0.02 | Jun 9, 2017 | Untrusted search path vulnerability in the installer of SaAT Personal ver.1.0.10.272 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |
| CVE-2017-2206 | Hig | 0.57 | 8.8 | 0.02 | Jun 9, 2017 | Untrusted search path vulnerability in the installer of SaAT Netizen ver.1.2.10.510 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |
| CVE-2017-2178 | Hig | 0.57 | 8.8 | 0.01 | Jun 9, 2017 | Untrusted search path vulnerability in Installer of electronic tendering and bid opening system available prior to May 25, 2017 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |
| CVE-2017-2177 | Hig | 0.57 | 8.8 | 0.01 | Jun 9, 2017 | Untrusted search path vulnerability in Installer of Shogyo Touki Denshi Ninsho Software Ver 1.7 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |
| CVE-2026-27290 | Hig | 0.56 | 8.6 | 0.00 | Apr 14, 2026 | Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction. | |
| CVE-2016-5330 | Hig | 0.56 | 7.8 | 0.25 | Aug 8, 2016 | Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory. | |
| CVE-2026-40287 | Hig | 0.55 | 8.4 | 0.00 | Apr 14, 2026 | PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139. | |
| CVE-2025-0141 | Hig | 0.55 | — | 0.00 | Jul 9, 2025 | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT AUTHORITY\SYSTEM on Windows. The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected. | |
| CVE-2024-48123 | Hig | 0.55 | 8.4 | 0.00 | Jan 15, 2025 | An issue in the USB Autorun function of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to execute arbitrary code via uploading a crafted script from a USB device. | |
| CVE-2017-2214 | Hig | 0.55 | 8.4 | 0.00 | Jun 9, 2017 | Untrusted search path vulnerability in AppCheck and AppCheck Pro prior to version 2.0.1.15 allows an attacker to execute arbitrary code via a specially crafted executable file in an unspecified directory. | |
| CVE-2014-8358 | Hig | 0.54 | 7.8 | 0.01 | Dec 11, 2017 | Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014) and before V200R003B015D02SP08C1014 (23.015.02.08.1014) use a weak ACL for the "Mobile Partner" directory, which allows remote attackers to gain SYSTEM privileges by compromising a low privilege account and modifying Mobile Partner.exe. |