CWE-427— Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.— MITRE CWE catalog
1,124 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-427page 21 of 23
- CVE-2025-5470HIGHCVSS 7.3EG 7.32025-12-09
Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275.
- CVE-2025-5471HIGHCVSS 7.8EG 7.82025-12-09
Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1.
- CVE-2025-5480HIGHCVSS 7.8EG 7.82025-06-06
Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker must first obtain the ability to execute…
- CVE-2025-55671HIGHCVSS 7.8EG 7.82025-09-05
Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be executed with the privilege of running the program.
- CVE-2025-56383HIGHCVSS 8.4EG 6.52025-09-26
Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs when a user installs the product into a dire…
- CVE-2025-57624HIGHCVSS 7.8EG 7.82025-09-16
A DLL hijacking vulnerability in CYRISMA Agent before 444 allows local users to escalate privileges and execute arbitrary code via multiple DLLs.
- CVE-2025-57716MEDIUMCVSS 6.7EG 6.72025-10-14
An Uncontrolled Search Path Element vulnerability [CWE-427] in FortiClient Windows 7.4.0 through 7.4.3, 7.2.0 through 7.2.11, 7.0 all versions may allow a local low privileged user to perform a DLL hijacking attack via placing a malicious …
- CVE-2025-57781HIGHCVSS 7.8EG 7.82025-10-06
The installers of DENSO TEN drive recorder viewer contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking t…
- CVE-2025-57836HIGHCVSS 7.8EG 7.82026-01-05
An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges.
- CVE-2025-59684HIGHCVSS 8.8EG 8.82025-10-01
DigiSign DigiSigner ONE 1.0.4.60 allows DLL Hijacking.
- CVE-2025-5981MEDIUMCVSS 6.5EG 6.52025-06-18
Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted contain…
- CVE-2025-59887HIGHCVSS 8.6EG 8.62025-12-26
Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version…
- CVE-2025-59889HIGHCVSS 8.6EG 8.62025-10-14
Improper authentication of library files in the Eaton IPP software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of IPP …
- CVE-2025-60749HIGHCVSS 7.8EG 7.82025-10-31
DLL Hijacking vulnerability in Trimble SketchUp desktop 2025 via crafted libcef.dll used by sketchup_webhelper.exe.
- CVE-2025-61161HIGHCVSS 8.4EG 8.42025-10-29
DLL hijacking vulnerability in Evope Collector 1.1.6.9.0 and related components load the wtsapi32.dll library from an uncontrolled search path (C:\ProgramData\Evope). This allows local unprivileged attackers to execute arbitrary code or es…
- CVE-2025-62185HIGHCVSS 7.8EG 6.72025-10-07
In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp…
- CVE-2025-62628HIGHCVSS 7.0EG 7.02026-05-14
Unsafe OpenSSL initialization within some AMD optional tools may allow a local user-privileged attacker to inject a malicious DLL, potentially resulting in arbitrary code execution.
- CVE-2025-62776HIGHCVSS 7.8EG 7.82025-10-29
The installer of WTW EAGLE (for Windows) 3.0.8.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running applic…
- CVE-2025-64695HIGHCVSS 7.8EG 7.82025-11-21
Uncontrolled search path element issue exists in the installer of LogStare Collector (for Windows). If exploited, arbitrary code may be executed with the privilege of the user invoking the installer.
- CVE-2025-64726HIGHCVSS 7.3EG 7.32025-11-13
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable…
- CVE-2025-64772HIGHCVSS 7.8EG 7.82025-12-01
The installer of INZONE Hub 1.0.10.3 to 1.0.17.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking t…
- CVE-2025-64994MEDIUMCVSS 6.7EG 6.52025-12-11
A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with …
- CVE-2025-64995MEDIUMCVSS 6.7EG 6.52025-12-11
A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the l…
- CVE-2025-65118HIGHCVSS 8.8EG 8.82026-01-16
The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compro…
- CVE-2025-65741CRITICALCVSS 9.8EG 9.82025-12-09
Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application.
- CVE-2025-66476HIGHCVSS 7.8EG 7.82025-12-02
Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited fil…
- CVE-2025-66835HIGHCVSS 7.1EG 7.12025-12-30
TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context.
- CVE-2025-67450HIGHCVSS 7.8EG 7.82025-12-26
Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC wh…
- CVE-2025-69599CRITICALCVSS 9.8EG 9.82026-05-08
RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specifi…
- CVE-2025-71178HIGHCVSS 7.1EG 7.12026-01-26
Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which …
- CVE-2025-7427MEDIUMCVSS 5.9EG 5.92025-07-22
Uncontrolled Search Path Element in Arm Development Studio before 2025 may allow an attacker to perform a DLL hijacking attack. Successful exploitation could lead to local arbitrary code execution in the context of the user running Arm De…
- CVE-2025-7472HIGHCVSS 7.5EG 7.52025-07-17
A local privilege escalation vulnerability in the Intercept X for Windows installer prior version 1.22 can lead to a local user gaining system level privileges, if the installer is run as SYSTEM.
- CVE-2025-7676MEDIUMCVSS 5.4EG 5.42025-07-28
DLL hijacking of all PE32 executables when run on Windows for ARM64 CPU architecture. This allows an attacker to execute code, if the attacker can plant a DLL in the same directory as the executable. Vulnerable versions of Windows 11 for A…
- CVE-2025-8614HIGHCVSS 7.8EG 7.82025-09-02
NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to exe…
- CVE-2025-9000HIGHCVSS 7.0EG 7.02025-08-15
A vulnerability was found in Mechrevo Control Center GX V2 5.56.51.48. Affected by this vulnerability is an unknown functionality of the component reg File Handler. The manipulation leads to uncontrolled search path. It is possible to laun…
- CVE-2025-9016HIGHCVSS 7.0EG 7.02025-08-15
A vulnerability was identified in Mechrevo Control Center GX V2 5.56.51.48. This affects an unknown part of the file C:\Program Files\OEM\机械革命控制中心\AiStoneService\MyControlCenter\Command of the component Powershell Script Ha…
- CVE-2025-9059HIGHCVSS 8.8EG 8.82025-09-11
The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking.
- CVE-2025-9164HIGHCVSS 8.8EG 8.82025-10-27
Docker Desktop Installer.exe is vulnerable to DLL hijacking due to insecure DLL search order. The installer searches for required DLLs in the user's Downloads folder before checking system directories, allowing local privilege escalation t…
- CVE-2025-9201HIGHCVSS 7.8EG 7.82025-09-11
A potential DLL hijacking vulnerability was discovered in Lenovo Browser during an internal security assessment that could allow a local user to execute code with elevated privileges.
- CVE-2025-9267HIGHCVSS 7.0EG 7.02025-09-26
In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their origin or integrity. This behavior can be…
- CVE-2025-9330HIGHCVSS 7.8EG 7.82025-09-02
Foxit PDF Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must fir…
- CVE-2025-9844HIGHCVSS 8.8EG 8.82025-09-23
Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.
- CVE-2026-0776HIGHCVSS 7.3EG 7.32026-01-23
Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the abili…
- CVE-2026-10847HIGHCVSS 7.8EG 7.82026-06-11
A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows... A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS. An authenticated local user may be ab…
- CVE-2026-11879HIGHCVSS 8.5EG 8.52026-06-12
MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading malicious DLLs from a temporary directory that is predictable and can be modified by the user. During startup, the applicat…
- CVE-2026-11958HIGHCVSS 7.3EG 7.32026-06-18
Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the appli…
- CVE-2026-11967HIGHCVSS 8.5EG 8.52026-06-12
MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading a malicious DLL located in the same directory as the portable executable. Because the application automatically loads the w…
- CVE-2026-12003MEDIUMCVSS 5.3EG 5.32026-06-16
To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is …
- CVE-2026-1636MEDIUMCVSS 6.7EG 6.72026-04-15
A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges.
- CVE-2026-2040HIGHCVSS 7.3EG 7.32026-02-20
PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must …
Map vulnerabilities like CWE-427 to your infrastructure
EchelonGraph correlates every CVE — across CWE-427 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →