CWE-427
Uncontrolled Search Path Element
BaseDraft
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-38 · CAPEC-471
CVEs mapped to this weakness (303)
page 3 of 16| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-8393 | Hig | 0.54 | 7.8 | 0.05 | Aug 29, 2017 | DLL Hijacking vulnerability in CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015, and Corel PDF Fusion. | |
| CVE-2017-12653 | Hig | 0.54 | 7.8 | 0.02 | Aug 7, 2017 | 360 Total Security 9.0.0.1202 before 2017-07-07 allows Privilege Escalation via a Trojan horse Shcore.dll file in any directory in the PATH, as demonstrated by the C:\Python27 directory. | |
| CVE-2026-34632 | Hig | 0.53 | 8.2 | 0.00 | Apr 15, 2026 | Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this vulnerability by manipulating the search path used by the application to locate critical resources, potentially causing unauthorized code execution. Exploitation of this issue required user interaction in that a user had to be running the installer. | |
| CVE-2025-23358 | Hig | 0.53 | 8.2 | 0.00 | Nov 4, 2025 | NVIDIA NVApp for Windows contains a vulnerability in the installer, where a local attacker can cause a search path element issue. A successful exploit of this vulnerability might lead to code execution and escalation of privileges. | |
| CVE-2025-23309 | Hig | 0.53 | 8.2 | 0.00 | Oct 10, 2025 | NVIDIA Display Driver contains a vulnerability where an uncontrolled DLL loading path might lead to arbitrary denial of service, escalation of privileges, code execution, and data tampering. | |
| CVE-2026-32172 | Hig | 0.52 | 8.0 | 0.00 | Apr 23, 2026 | Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network. | |
| CVE-2026-2361 | Hig | 0.52 | 8.0 | 0.00 | Feb 11, 2026 | PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a temporary view based on a function containing malicious code. When the anon.get_tablesample_ratio function is then called, the malicious code is executed with superuser privileges. This privilege elevation can be exploited by users having the CREATE privilege in PostgreSQL 15 and later. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version because the creation permission on the public schema is granted by default. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions | |
| CVE-2026-2360 | Hig | 0.52 | 8.0 | 0.00 | Feb 11, 2026 | PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions | |
| CVE-2026-44612 | Hig | 0.51 | 7.8 | 0.00 | May 13, 2026 | Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer. | |
| CVE-2026-6788 | Hig | 0.51 | 7.8 | 0.00 | May 6, 2026 | Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000. | |
| CVE-2026-7279 | Hig | 0.51 | 7.8 | 0.00 | Apr 28, 2026 | AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL. | |
| CVE-2026-42171 | Hig | 0.51 | 7.8 | 0.00 | Apr 24, 2026 | NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references). | |
| CVE-2026-32679 | Hig | 0.51 | 7.8 | 0.00 | Apr 23, 2026 | The installers of LiveOn Meet Client for Windows (Downloader5Installer.exe and Downloader5InstallerForAdmin.exe) and the installers of Canon Network Camera Plugin (CanonNWCamPlugin.exe and CanonNWCamPluginForAdmin.exe) insecurely load Dynamic Link Libraries (DLLs). If a malicious DLL is placed at the same directory, the affected installer may load that DLL and execute its code with the privilege of the user invoking the installer. | |
| CVE-2026-22619 | Hig | 0.51 | 7.8 | 0.00 | Apr 16, 2026 | Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center. | |
| CVE-2026-5397 | Hig | 0.51 | 7.8 | 0.00 | Apr 15, 2026 | It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges. If a malicious DLL is placed in the installation directory of this product, there is a possibility that the malicious DLL may be executed by exploiting the product’s behavior of loading missing DLLs from the same directory as the executable during service startup. | |
| CVE-2026-5055 | Hig | 0.51 | 7.8 | 0.00 | Apr 11, 2026 | NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the NoMachine Device Server. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-28494. | |
| CVE-2026-28704 | Hig | 0.51 | 7.8 | 0.00 | Apr 10, 2026 | Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck. | |
| CVE-2025-14821 | Hig | 0.51 | 7.8 | 0.00 | Apr 7, 2026 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. | |
| CVE-2026-5271 | Hig | 0.51 | 7.8 | 0.00 | Apr 1, 2026 | pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious module in that directory can be imported and executed instead of the intended package. | |
| CVE-2026-3775 | Hig | 0.51 | 7.8 | 0.00 | Apr 1, 2026 | The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user‑writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution. |