CWE-427
Uncontrolled Search Path Element
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-38 · CAPEC-471
CVEs mapped to this weakness (377)
page 9 of 19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4134 | Hig | 0.47 | 7.3 | 0.00 | Apr 15, 2026 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges. | ||
| CVE-2026-4158 | Hig | 0.47 | 7.3 | 0.00 | Apr 11, 2026 | KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obtain the ability to execute low-privileged… | ||
| CVE-2026-2040 | Hig | 0.47 | 7.3 | 0.00 | Feb 20, 2026 | PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute… | ||
| CVE-2025-54519 | Hig | 0.47 | 7.3 | 0.00 | Feb 12, 2026 | A DLL hijacking vulnerability in Doc Nav could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | ||
| CVE-2025-52541 | Hig | 0.47 | 7.3 | 0.00 | Feb 11, 2026 | A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | ||
| CVE-2026-21408 | Hig | 0.47 | 7.3 | 0.00 | Jan 27, 2026 | beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges. | ||
| CVE-2026-0776 | Hig | 0.47 | 7.3 | 0.00 | Jan 23, 2026 | Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the… | ||
| CVE-2025-5470 | Hig | 0.47 | — | 0.00 | Dec 9, 2025 | Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275. | ||
| CVE-2025-5469 | Hig | 0.47 | — | 0.00 | Dec 9, 2025 | Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245 | ||
| CVE-2025-64726 | Hig | 0.47 | — | 0.00 | Nov 13, 2025 | Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in… | ||
| CVE-2025-27237 | Hig | 0.47 | — | 0.00 | Oct 3, 2025 | In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL. | ||
| CVE-2025-11178 | Hig | 0.47 | 7.3 | 0.00 | Sep 30, 2025 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42386, Acronis True Image for Western Digital (Windows) before build 42636, Acronis True Image for SanDisk (Windows) before build 42679,… | ||
| CVE-2024-13946 | Med | 0.47 | 6.8 | 0.01 | May 22, 2025 | DLL's are not digitally signed when loaded in ASPECT's configuration toolset exposing the application to binary planting during device commissioning.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||
| CVE-2024-57964 | Hig | 0.47 | 7.3 | 0.00 | Feb 18, 2025 | Insecure Loading of Dynamic Link Libraries have been discovered in HVAC Energy Saving Program, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects HVAC Energy Saving Program:. | ||
| CVE-2024-57963 | Hig | 0.47 | 7.3 | 0.00 | Feb 18, 2025 | Insecure Loading of Dynamic Link Libraries have been discovered in USB-CONVERTERCABLE DRIVER, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects USB-CONVERTERCABLE DRIVER:. | ||
| CVE-2023-31361 | Hig | 0.47 | 7.3 | 0.00 | Feb 11, 2025 | A DLL hijacking vulnerability in AMD Integrated Management Technology (AIM-T) Manageability Service could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. | ||
| CVE-2024-57426 | Hig | 0.47 | 7.3 | 0.00 | Feb 6, 2025 | NetMod VPN Client 5.3.1 is vulnerable to DLL injection, allowing an attacker to execute arbitrary code by placing a malicious DLL in a directory where the application loads dependencies. This vulnerability arises due to the improper validation of dynamically loaded libraries. | ||
| CVE-2024-45246 | — | Hig | 0.47 | 7.3 | 0.00 | Oct 6, 2024 | Diebold Nixdorf – CWE-427: Uncontrolled Search Path Element | |
| CVE-2024-2637 | Hig | 0.47 | 7.2 | 0.00 | May 14, 2024 | An Uncontrolled Search Path Element vulnerability in B&R Industrial Automation Scene Viewer, B&R Industrial Automation Automation Runtime, B&R Industrial Automation mapp Vision, B&R Industrial Automation mapp View, B&R Industrial Automation mapp Cockpit, B&R Industrial… | ||
| CVE-2018-11049 | Hig | 0.47 | 7.3 | 0.00 | Jul 11, 2018 | RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user… |
- risk 0.47cvss 7.3epss 0.00
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.
- risk 0.47cvss 7.3epss 0.00
KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obtain the ability to execute low-privileged…
- risk 0.47cvss 7.3epss 0.00
PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute…
- risk 0.47cvss 7.3epss 0.00
A DLL hijacking vulnerability in Doc Nav could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
- risk 0.47cvss 7.3epss 0.00
A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
- risk 0.47cvss 7.3epss 0.00
beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges.
- risk 0.47cvss 7.3epss 0.00
Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the…
- risk 0.47cvss —epss 0.00
Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275.
- risk 0.47cvss —epss 0.00
Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245
- risk 0.47cvss —epss 0.00
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in…
- risk 0.47cvss —epss 0.00
In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.
- risk 0.47cvss 7.3epss 0.00
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42386, Acronis True Image for Western Digital (Windows) before build 42636, Acronis True Image for SanDisk (Windows) before build 42679,…
- risk 0.47cvss 6.8epss 0.01
DLL's are not digitally signed when loaded in ASPECT's configuration toolset exposing the application to binary planting during device commissioning.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
- risk 0.47cvss 7.3epss 0.00
Insecure Loading of Dynamic Link Libraries have been discovered in HVAC Energy Saving Program, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects HVAC Energy Saving Program:.
- risk 0.47cvss 7.3epss 0.00
Insecure Loading of Dynamic Link Libraries have been discovered in USB-CONVERTERCABLE DRIVER, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects USB-CONVERTERCABLE DRIVER:.
- risk 0.47cvss 7.3epss 0.00
A DLL hijacking vulnerability in AMD Integrated Management Technology (AIM-T) Manageability Service could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.
- risk 0.47cvss 7.3epss 0.00
NetMod VPN Client 5.3.1 is vulnerable to DLL injection, allowing an attacker to execute arbitrary code by placing a malicious DLL in a directory where the application loads dependencies. This vulnerability arises due to the improper validation of dynamically loaded libraries.
- risk 0.47cvss 7.3epss 0.00
Diebold Nixdorf – CWE-427: Uncontrolled Search Path Element
- risk 0.47cvss 7.2epss 0.00
An Uncontrolled Search Path Element vulnerability in B&R Industrial Automation Scene Viewer, B&R Industrial Automation Automation Runtime, B&R Industrial Automation mapp Vision, B&R Industrial Automation mapp View, B&R Industrial Automation mapp Cockpit, B&R Industrial…
- risk 0.47cvss 7.3epss 0.00
RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user…