VYPR

CWE-427

Uncontrolled Search Path Element

BaseDraft

Description

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-38 · CAPEC-471

CVEs mapped to this weakness (377)

page 12 of 19
  • CVE-2026-47092HigMay 18, 2026
    risk 0.44cvss 7.8epss 0.01

    Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud…

  • CVE-2024-47091HigMay 13, 2026
    risk 0.44cvss 7.8epss 0.00

    Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches 'MySQL' or 'MariaDB' (or with write access to a binary referenced by such a service)…

  • CVE-2026-45004HigMay 11, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by…

  • CVE-2026-25852MedApr 29, 2026
    risk 0.44cvss 6.7epss 0.00

    Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212.

  • CVE-2026-42171HigApr 24, 2026
    risk 0.44cvss 7.8epss 0.00

    NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

  • CVE-2026-1636MedApr 15, 2026
    risk 0.44cvss 6.7epss 0.00

    A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges.

  • CVE-2026-40031HigApr 8, 2026
    risk 0.44cvss 7.8epss 0.00

    MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls without path qualification for vmmpyc, libMSCompression, and plugin DLLs. An…

  • CVE-2026-28728MedApr 2, 2026
    risk 0.44cvss 6.7epss 0.00

    Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42902.

  • CVE-2026-27774MedApr 2, 2026
    risk 0.44cvss 6.7epss 0.00

    Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42902.

  • CVE-2026-5271HigApr 1, 2026
    risk 0.44cvss 7.8epss 0.00

    pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious…

  • CVE-2026-34054HigMar 31, 2026
    risk 0.44cvss 7.8epss 0.01

    vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.

  • CVE-2026-3091MedFeb 24, 2026
    risk 0.44cvss 6.7epss 0.00

    An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files and conduct denial-of-service during installation by placing a malicious DLL in advance in the same directory as the installer.

  • CVE-2025-32452MedFeb 10, 2026
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege.…

  • CVE-2025-20106MedFeb 10, 2026
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path in some software installer for some VTune(TM) Profiler software and Intel(R) oneAPI Base Toolkits before version 2025.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined…

  • CVE-2025-35972MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for the Intel MPI Library before version 2021.16 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege.…

  • CVE-2025-32038MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for some FPGA Support Package for the Intel oneAPI DPC++C++ Compiler software before version 2025.0.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high…

  • CVE-2025-32001MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable…

  • CVE-2025-31931MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for the Instrumentation and Tracing Technology API (ITT API) software before version 3.25.4 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity…

  • CVE-2025-31647MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for some Intel(R) Graphics Software before version 25.22.1502.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation…

  • CVE-2025-31645MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled search path for some System Event Log Viewer Utility software for all versions within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable…