CWE-426
Untrusted Search Path
Description
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-38
CVEs mapped to this weakness (355)
page 14 of 18| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6218 | Hig | 0.46 | 7.0 | 0.02 | Feb 16, 2018 | A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could allow an attacker to run arbitrary code on a vulnerable system. | ||
| CVE-2016-10009 | Hig | 0.46 | 7.3 | 0.37 | Jan 5, 2017 | Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. | ||
| CVE-2026-47648 | Hig | 0.45 | 7.0 | 0.00 | Jun 9, 2026 | Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-11401 | Hig | 0.45 | 8.0 | 0.00 | Jun 5, 2026 | An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted… | ||
| CVE-2024-6769 | Med | 0.45 | 6.7 | 0.01 | Sep 26, 2024 | A DLL Hijacking caused by drive remapping combined with a poisoning of the activation cache in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated attacker to elevate from a medium integrity process… | ||
| CVE-2026-41384 | Hig | 0.44 | 7.8 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary… | ||
| CVE-2026-40156 | Hig | 0.44 | 7.8 | 0.00 | Apr 10, 2026 | PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately… | ||
| CVE-2026-35641 | Hig | 0.44 | 7.8 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package… | ||
| CVE-2018-10875 | — | Hig | 0.44 | 7.8 | 0.01 | Jul 13, 2018 | A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. | |
| CVE-2018-10874 | — | Hig | 0.44 | 7.8 | 0.00 | Jul 2, 2018 | In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. | |
| CVE-2018-1000201 | — | Hig | 0.44 | 7.8 | 0.01 | Jun 22, 2018 | ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later. | |
| CVE-2017-12313 | Med | 0.44 | 6.7 | 0.01 | Nov 16, 2017 | An untrusted search path (aka DLL Preload) vulnerability in the Cisco Network Academy Packet Tracer software could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the… | ||
| CVE-2017-12312 | Med | 0.44 | 6.7 | 0.01 | Nov 16, 2017 | An untrusted search path (aka DLL Preloading) vulnerability in the Cisco Immunet antimalware installer could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the current… | ||
| CVE-2015-3887 | Hig | 0.44 | 7.8 | 0.00 | Sep 21, 2017 | Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referenced in the LD_PRELOAD path. | ||
| CVE-2016-1202 | Hig | 0.44 | 7.8 | 0.00 | Apr 25, 2016 | Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line. | ||
| CVE-2026-42830 | Med | 0.42 | 6.5 | 0.00 | May 12, 2026 | Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||
| CVE-2019-25257 | Med | 0.42 | 6.5 | 0.00 | Dec 24, 2025 | LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like… | ||
| CVE-2025-43079 | Med | 0.41 | 6.3 | 0.00 | Nov 10, 2025 | The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed… | ||
| CVE-2025-30407 | Med | 0.41 | 6.3 | 0.00 | Mar 26, 2025 | Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713. | ||
| CVE-2025-24830 | Med | 0.41 | 6.3 | 0.00 | Jan 31, 2025 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378. |
- risk 0.46cvss 7.0epss 0.02
A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could allow an attacker to run arbitrary code on a vulnerable system.
- risk 0.46cvss 7.3epss 0.37
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.
- risk 0.45cvss 7.0epss 0.00
Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally.
- risk 0.45cvss 8.0epss 0.00
An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted…
- risk 0.45cvss 6.7epss 0.01
A DLL Hijacking caused by drive remapping combined with a poisoning of the activation cache in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated attacker to elevate from a medium integrity process…
- risk 0.44cvss 7.8epss 0.00
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary…
- risk 0.44cvss 7.8epss 0.00
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately…
- risk 0.44cvss 7.8epss 0.00
OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package…
- risk 0.44cvss 7.8epss 0.01
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
- risk 0.44cvss 7.8epss 0.00
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
- risk 0.44cvss 7.8epss 0.01
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.
- risk 0.44cvss 6.7epss 0.01
An untrusted search path (aka DLL Preload) vulnerability in the Cisco Network Academy Packet Tracer software could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the…
- risk 0.44cvss 6.7epss 0.01
An untrusted search path (aka DLL Preloading) vulnerability in the Cisco Immunet antimalware installer could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the current…
- risk 0.44cvss 7.8epss 0.00
Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referenced in the LD_PRELOAD path.
- risk 0.44cvss 7.8epss 0.00
Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line.
- risk 0.42cvss 6.5epss 0.00
Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
- risk 0.42cvss 6.5epss 0.00
LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like…
- risk 0.41cvss 6.3epss 0.00
The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed…
- risk 0.41cvss 6.3epss 0.00
Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713.
- risk 0.41cvss 6.3epss 0.00
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.