CWE-427
Uncontrolled Search Path Element
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-38 · CAPEC-471
CVEs mapped to this weakness (377)
page 1 of 19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-6517 | Cri | 0.67 | 9.8 | 0.46 | Mar 23, 2017 | Microsoft Skype 7.16.0.102 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded by Skype. It allows an attacker to load a .dll of the… | ||
| CVE-2025-69599 | Cri | 0.64 | 9.8 | 0.00 | May 8, 2026 | RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration. | ||
| CVE-2019-25268 | Cri | 0.64 | 9.8 | 0.00 | Jan 8, 2026 | NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious… | ||
| CVE-2023-53959 | Cri | 0.64 | 9.8 | 0.01 | Dec 19, 2025 | FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve… | ||
| CVE-2018-12805 | Cri | 0.64 | 9.8 | 0.04 | Jul 20, 2018 | Adobe Connect versions 9.7.5 and earlier have an Insecure Library Loading vulnerability. Successful exploitation could lead to privilege escalation. | ||
| CVE-2017-3097 | Cri | 0.64 | 9.8 | 0.07 | Jun 20, 2017 | Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading functions in the installer plugin. A successful exploitation could lead to arbitrary code execution. | ||
| CVE-2017-3092 | Cri | 0.64 | 9.8 | 0.09 | Jun 20, 2017 | Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading of editor control library functions in the installer plugin. A successful exploitation could lead to arbitrary code execution. | ||
| CVE-2017-3090 | Cri | 0.64 | 9.8 | 0.09 | Jun 20, 2017 | Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading of browser related library extensions in the installer plugin. A successful exploitation could lead to arbitrary code execution. | ||
| CVE-2025-13051 | Cri | 0.60 | — | 0.00 | Nov 19, 2025 | When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account,… | ||
| CVE-2025-34109 | Hig | 0.59 | — | 0.00 | Jul 15, 2025 | PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code… | ||
| CVE-2025-30248 | Hig | 0.58 | — | 0.01 | Jan 26, 2026 | DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path. | ||
| CVE-2026-7870 | Hig | 0.57 | 8.8 | 0.00 | Jun 11, 2026 | IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. | ||
| CVE-2026-40342 | Cri | 0.57 | 9.9 | 0.01 | Apr 17, 2026 | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated… | ||
| CVE-2026-30478 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2026 | A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. | ||
| CVE-2025-9164 | Hig | 0.57 | — | 0.00 | Oct 27, 2025 | Docker Desktop Installer.exe is vulnerable to DLL hijacking due to insecure DLL search order. The installer searches for required DLLs in the user's Downloads folder before checking system directories, allowing local privilege escalation through malicious DLL placement.This… | ||
| CVE-2025-9844 | Hig | 0.57 | 8.8 | 0.00 | Sep 23, 2025 | Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6. | ||
| CVE-2025-9059 | Hig | 0.57 | — | 0.00 | Sep 11, 2025 | The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking. | ||
| CVE-2024-2208 | Hig | 0.57 | 8.8 | 0.00 | Nov 12, 2024 | Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. Sound Research has released driver updates to mitigate the potential vulnerabilities. | ||
| CVE-2017-7966 | Hig | 0.57 | 8.8 | 0.02 | Jun 7, 2017 | A DLL Hijacking vulnerability in the programming software in Schneider Electric's SoMachine HVAC v2.1.0 allows a remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to the improper loading of a DLL. | ||
| CVE-2025-59889 | Hig | 0.56 | 8.6 | 0.00 | Oct 14, 2025 | Improper authentication of library files in the Eaton IPP software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of IPP which is available on the Eaton download… |
- risk 0.67cvss 9.8epss 0.46
Microsoft Skype 7.16.0.102 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded by Skype. It allows an attacker to load a .dll of the…
- risk 0.64cvss 9.8epss 0.00
RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.
- risk 0.64cvss 9.8epss 0.00
NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious…
- risk 0.64cvss 9.8epss 0.01
FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve…
- risk 0.64cvss 9.8epss 0.04
Adobe Connect versions 9.7.5 and earlier have an Insecure Library Loading vulnerability. Successful exploitation could lead to privilege escalation.
- risk 0.64cvss 9.8epss 0.07
Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading functions in the installer plugin. A successful exploitation could lead to arbitrary code execution.
- risk 0.64cvss 9.8epss 0.09
Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading of editor control library functions in the installer plugin. A successful exploitation could lead to arbitrary code execution.
- risk 0.64cvss 9.8epss 0.09
Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading of browser related library extensions in the installer plugin. A successful exploitation could lead to arbitrary code execution.
- risk 0.60cvss —epss 0.00
When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account,…
- risk 0.59cvss —epss 0.00
PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code…
- risk 0.58cvss —epss 0.01
DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path.
- risk 0.57cvss 8.8epss 0.00
IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege.
- risk 0.57cvss 9.9epss 0.01
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated…
- risk 0.57cvss 8.8epss 0.00
A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable.
- risk 0.57cvss —epss 0.00
Docker Desktop Installer.exe is vulnerable to DLL hijacking due to insecure DLL search order. The installer searches for required DLLs in the user's Downloads folder before checking system directories, allowing local privilege escalation through malicious DLL placement.This…
- risk 0.57cvss 8.8epss 0.00
Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.
- risk 0.57cvss —epss 0.00
The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking.
- risk 0.57cvss 8.8epss 0.00
Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. Sound Research has released driver updates to mitigate the potential vulnerabilities.
- risk 0.57cvss 8.8epss 0.02
A DLL Hijacking vulnerability in the programming software in Schneider Electric's SoMachine HVAC v2.1.0 allows a remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to the improper loading of a DLL.
- risk 0.56cvss 8.6epss 0.00
Improper authentication of library files in the Eaton IPP software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of IPP which is available on the Eaton download…