VYPR

CWE-426

Untrusted Search Path

BaseStableLikelihood: High

Description

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-38

CVEs mapped to this weakness (355)

page 14 of 18
  • CVE-2018-6218HigFeb 16, 2018
    risk 0.46cvss 7.0epss 0.02

    A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could allow an attacker to run arbitrary code on a vulnerable system.

  • CVE-2016-10009HigJan 5, 2017
    risk 0.46cvss 7.3epss 0.37

    Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

  • CVE-2026-47648HigJun 9, 2026
    risk 0.45cvss 7.0epss 0.00

    Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally.

  • CVE-2026-11401HigJun 5, 2026
    risk 0.45cvss 8.0epss 0.00

    An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted…

  • CVE-2024-6769MedSep 26, 2024
    risk 0.45cvss 6.7epss 0.01

    A DLL Hijacking caused by drive remapping combined with a poisoning of the activation cache in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated attacker to elevate from a medium integrity process…

  • CVE-2026-41384HigApr 28, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary…

  • CVE-2026-40156HigApr 10, 2026
    risk 0.44cvss 7.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately…

  • CVE-2026-35641HigApr 10, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package…

  • CVE-2018-10875HigJul 13, 2018
    risk 0.44cvss 7.8epss 0.01

    A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

  • CVE-2018-10874HigJul 2, 2018
    risk 0.44cvss 7.8epss 0.00

    In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

  • CVE-2018-1000201HigJun 22, 2018
    risk 0.44cvss 7.8epss 0.01

    ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

  • CVE-2017-12313MedNov 16, 2017
    risk 0.44cvss 6.7epss 0.01

    An untrusted search path (aka DLL Preload) vulnerability in the Cisco Network Academy Packet Tracer software could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the…

  • CVE-2017-12312MedNov 16, 2017
    risk 0.44cvss 6.7epss 0.01

    An untrusted search path (aka DLL Preloading) vulnerability in the Cisco Immunet antimalware installer could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the current…

  • CVE-2015-3887HigSep 21, 2017
    risk 0.44cvss 7.8epss 0.00

    Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referenced in the LD_PRELOAD path.

  • CVE-2016-1202HigApr 25, 2016
    risk 0.44cvss 7.8epss 0.00

    Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line.

  • CVE-2026-42830MedMay 12, 2026
    risk 0.42cvss 6.5epss 0.00

    Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.

  • CVE-2019-25257MedDec 24, 2025
    risk 0.42cvss 6.5epss 0.00

    LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like…

  • CVE-2025-43079MedNov 10, 2025
    risk 0.41cvss 6.3epss 0.00

    The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed…

  • CVE-2025-30407MedMar 26, 2025
    risk 0.41cvss 6.3epss 0.00

    Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713.

  • CVE-2025-24830MedJan 31, 2025
    risk 0.41cvss 6.3epss 0.00

    Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.