CWE-427
Uncontrolled Search Path Element
BaseDraft
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-38 · CAPEC-471
CVEs mapped to this weakness (248)
page 1 of 13| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40342 | Cri | 0.64 | 9.9 | 0.00 | Apr 17, 2026 | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. | |
| CVE-2019-25268 | Cri | 0.64 | 9.8 | 0.00 | Jan 8, 2026 | NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on WebDAV or SMB shares to execute unauthorized code. | |
| CVE-2023-53959 | Cri | 0.64 | 9.8 | 0.00 | Dec 19, 2025 | FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve remote code execution when the application launches. | |
| CVE-2025-13051 | Cri | 0.60 | — | 0.00 | Nov 19, 2025 | When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges. This issue affects ABP and AES: from ABP 2.0 through 2.0.7.9050, from AES 1.0 through 1.0.6.8290. | |
| CVE-2025-34109 | Hig | 0.59 | — | 0.08 | Jul 15, 2025 | PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2). | |
| CVE-2025-30248 | Hig | 0.58 | — | 0.00 | Jan 26, 2026 | DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path. | |
| CVE-2026-30478 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2026 | A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. | |
| CVE-2025-9164 | Hig | 0.57 | — | 0.00 | Oct 27, 2025 | Docker Desktop Installer.exe is vulnerable to DLL hijacking due to insecure DLL search order. The installer searches for required DLLs in the user's Downloads folder before checking system directories, allowing local privilege escalation through malicious DLL placement.This issue affects Docker Desktop: through 4.48.0. | |
| CVE-2025-9844 | Hig | 0.57 | 8.8 | 0.00 | Sep 23, 2025 | Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6. | |
| CVE-2025-9059 | Hig | 0.57 | — | 0.00 | Sep 11, 2025 | The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking. | |
| CVE-2024-2208 | Hig | 0.57 | 8.8 | 0.00 | Nov 12, 2024 | Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. Sound Research has released driver updates to mitigate the potential vulnerabilities. | |
| CVE-2025-59889 | Hig | 0.56 | 8.6 | 0.00 | Oct 14, 2025 | Improper authentication of library files in the Eaton IPP software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of IPP which is available on the Eaton download center. | |
| CVE-2024-9499 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Win 98SE Dev Kit installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9498 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9497 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress 4 SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9496 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Dev Kit installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9495 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the CP210x VCP Windows installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9494 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the CP210 VCP Win 2k installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9493 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the ToolStick installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9492 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in Flash Programming Utility installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. |