CWE-426— Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.— MITRE CWE catalog
554 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-426page 11 of 12
- CVE-2026-0662HIGHCVSS 7.8EG 7.82026-02-04
A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.
- CVE-2026-11400HIGHCVSS 8.0EG 8.02026-06-05
An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, incl…
- CVE-2026-11401HIGHCVSS 8.0EG 8.02026-06-05
An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, includ…
- CVE-2026-20943HIGHCVSS 7.0EG 7.02026-01-13
Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.
- CVE-2026-21280HIGHCVSS 8.6EG 8.62026-01-13
Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical…
- CVE-2026-21508HIGHCVSS 7.0EG 7.02026-02-10
Improper authentication in Windows Storage allows an authorized attacker to elevate privileges locally.
- CVE-2026-23512HIGHCVSS 8.6EG 8.62026-01-14
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when u…
- CVE-2026-23888MEDIUMCVSS 6.5EG 6.52026-01-26
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) …
- CVE-2026-24051HIGHCVSS 7.0EG 7.02026-02-02
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/ho…
- CVE-2026-24064HIGHCVSS 7.8EG 7.82026-06-09
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library in…
- CVE-2026-24070HIGHCVSS 8.8EG 8.82026-02-02
During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permission…
- CVE-2026-2516HIGHCVSS 7.0EG 7.02026-02-15
A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4. This affects an unknown part in the library SHFOLDER.dll. Such manipulation leads to uncontrolled search path. The attack needs to be performed locall…
- CVE-2026-25190HIGHCVSS 7.8EG 7.82026-03-10
Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally.
- CVE-2026-2538HIGHCVSS 7.0EG 7.02026-02-16
A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a re…
- CVE-2026-2542HIGHCVSS 7.0EG 7.02026-02-16
A weakness has been identified in Total VPN 0.5.29.0 on Windows. Affected by this vulnerability is an unknown functionality of the file C:\Program Files\Total VPN\win-service.exe. Executing a manipulation can lead to unquoted search path. …
- CVE-2026-25880HIGHCVSS 7.8EG 7.82026-02-09
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”.…
- CVE-2026-25992HIGHCVSS 7.5EG 7.52026-02-10
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can…
- CVE-2026-27290HIGHCVSS 8.6EG 8.62026-04-14
Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate cr…
- CVE-2026-2998HIGHCVSS 7.8EG 7.82026-02-23
ERP developed by eAI Technologies has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a crafted DLL file in the same directory as the program, thereby executing arbitrary code.
- CVE-2026-30906HIGHCVSS 7.8EG 7.82026-05-13
Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.
- CVE-2026-32009MEDIUMCVSS 5.7EG 5.72026-03-19
OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static default directories including writable package-manager paths like /opt/homebrew/bin and /usr/local/bin. An a…
- CVE-2026-32015HIGHCVSS 7.8EG 7.82026-03-19
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a path hijacking vulnerability in tools.exec.safeBins that allows attackers to bypass allowlist checks by controlling process PATH resolution. Attackers who can influence the gateway p…
- CVE-2026-32016HIGHCVSS 7.8EG 7.82026-03-19
OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the exec-approval allowlist mode that allows local attackers to execute unauthorized binaries by exploiting basename-only allowlist entries. At…
- CVE-2026-32032HIGHCVSS 7.8EG 7.82026-03-19
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a …
- CVE-2026-35368HIGHCVSS 7.8EG 7.82026-04-22
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based sys…
- CVE-2026-35603HIGHCVSS 7.3EG 7.32026-04-17
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access p…
- CVE-2026-3780HIGHCVSS 7.3EG 7.32026-04-01
The application's installer runs with elevated privileges but resolves system executables and DLLs using untrusted search paths that can include user-writable directories, allowing a local attacker to place malicious binaries with the same…
- CVE-2026-3787HIGHCVSS 7.0EG 7.02026-03-08
A weakness has been identified in UltraVNC 1.6.4.0 on Windows. This affects an unknown function in the library cryptbase.dll of the component Windows Service. This manipulation causes uncontrolled search path. The attack requires local acc…
- CVE-2026-39883HIGHCVSS 7.0EG 7.02026-04-08
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH …
- CVE-2026-40156HIGHCVSS 7.8EG 7.82026-04-10
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_fr…
- CVE-2026-40287HIGHCVSS 8.4EG 8.42026-04-14
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (impor…
- CVE-2026-40947LOWCVSS 2.9EG 2.92026-04-16
Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.
- CVE-2026-42830MEDIUMCVSS 6.5EG 6.52026-05-12
Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
- CVE-2026-44477HIGHCVSS 8.8EG 8.82026-05-28
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local …
- CVE-2026-4545HIGHCVSS 7.0EG 7.02026-03-22
A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in uncontrolled search path. The attack is only possible with local access…
- CVE-2026-4546HIGHCVSS 7.0EG 7.02026-03-22
A weakness has been identified in Flos Freeware Notepad2 4.2.25. This impacts an unknown function in the library TextShaping.dll. Executing a manipulation can lead to uncontrolled search path. The attack is restricted to local execution. T…
- CVE-2026-45721CRITICALCVSS 9.0EG 9.02026-05-19
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured ser…
- CVE-2026-45772CRITICALCVSS 9.8EG 9.82026-05-15
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn confi…
- CVE-2026-45792MEDIUMCVSS 5.5EG 6.92026-05-20
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.32.0, RTK (Rust Token Killer) improperly trusts project-local configuration files. RTK automatically loads .rtk/filters.toml from the working directo…
- CVE-2026-46710HIGHCVSS 7.8EG 7.82026-06-26
Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an abso…
- CVE-2026-47648HIGHCVSS 7.0EG 7.02026-06-09
Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally.
- CVE-2026-48565HIGHCVSS 7.8EG 7.82026-06-09
Untrusted search path in Windows Narrator Braille allows an authorized attacker to elevate privileges locally.
- CVE-2026-49145HIGHCVSS 7.5EG 7.52026-07-08
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option …
- CVE-2026-4962HIGHCVSS 7.0EG 7.02026-03-27
A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs…
- CVE-2026-53819HIGHCVSS 8.8EG 8.82026-06-11
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute…
- CVE-2026-53842HIGHCVSS 7.1EG 7.12026-06-16
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository ac…
- CVE-2026-53846HIGHCVSS 7.1EG 7.12026-06-16
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace …
- CVE-2026-53858HIGHCVSS 7.1EG 7.12026-06-16
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime …
- CVE-2026-53865HIGHCVSS 7.1EG 7.12026-06-16
OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operat…
- CVE-2026-54055MEDIUMCVSS 5.0EG 5.02026-06-12
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files o…
Map vulnerabilities like CWE-426 to your infrastructure
EchelonGraph correlates every CVE — across CWE-426 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →