CWE-427— Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.— MITRE CWE catalog
1,124 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-427page 22 of 23
- CVE-2026-20772MEDIUMCVSS 5.4EG 5.42026-05-12
Uncontrolled search path for some Intel(R) Connectivity Performance Suite software installers before version 50.25.1121.193 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an auth…
- CVE-2026-21408HIGHCVSS 7.3EG 7.32026-01-27
beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges.
- CVE-2026-21427HIGHCVSS 7.8EG 7.82026-01-08
The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges o…
- CVE-2026-21661HIGHCVSS 8.4EG 8.42026-05-06
Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 1…
- CVE-2026-22561HIGHCVSS 7.8EG 7.82026-03-31
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from it…
- CVE-2026-22619HIGHCVSS 7.8EG 7.82026-04-16
Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the …
- CVE-2026-2360HIGHCVSS 8.0EG 8.02026-02-11
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuse…
- CVE-2026-2361HIGHCVSS 8.0EG 8.02026-02-11
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a temporary view based on a function containing malicious code. When the anon.get_tablesample_ratio function is then called, the mal…
- CVE-2026-23740NONECVSS 0.0EG 0.02026-02-06
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (f…
- CVE-2026-23741NONECVSS 0.0EG 0.02026-02-06
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 o…
- CVE-2026-23755HIGHCVSS 7.3EG 7.32026-01-21
D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allow…
- CVE-2026-24016HIGHCVSS 7.8EG 7.82026-01-21
The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed.
- CVE-2026-24694HIGHCVSS 7.8EG 7.82026-02-03
The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application.
- CVE-2026-2492HIGHCVSS 7.8EG 7.02026-02-20
TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TensorFlow. An attacker must first obtain the …
- CVE-2026-25129MEDIUMCVSS 6.7EG 6.72026-01-30
PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an atta…
- CVE-2026-2516HIGHCVSS 7.0EG 7.02026-02-15
A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4. This affects an unknown part in the library SHFOLDER.dll. Such manipulation leads to uncontrolled search path. The attack needs to be performed locall…
- CVE-2026-25191HIGHCVSS 7.8EG 7.82026-02-26
The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious DLL file and the installer to the same directory and execute the installer, arbitrary co…
- CVE-2026-2538HIGHCVSS 7.0EG 7.02026-02-16
A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a re…
- CVE-2026-25655HIGHCVSS 7.8EG 7.82026-02-10
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP2). The affected application permits improper modification of a configuration file by a low-privileged user. This could allow an attacker to load malicious DLLs, pote…
- CVE-2026-25656HIGHCVSS 7.8EG 7.82026-02-10
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3), User Management Component (UMC) (All versions < V2.15.2.1). The affected application permits improper modification of a configuration file by a low-privileged user…
- CVE-2026-25676HIGHCVSS 7.8EG 7.82026-02-12
The installer of M-Track Duo HD version 1.0.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrator privileges.
- CVE-2026-25852MEDIUMCVSS 6.7EG 6.72026-04-29
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212.
- CVE-2026-26050HIGHCVSS 7.8EG 7.82026-02-20
The installer for ジョブログ集計/分析ソフトウェア RICOHジョブログ集計ツール versions prior to Ver.1.3.7 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a …
- CVE-2026-2713HIGHCVSS 7.4EG 7.42026-03-10
IBM Trusteer Rapport installer 3.5.2309.290 IBM Trusteer Rapport could allow a local attacker to execute arbitrary code on the system, caused by DLL uncontrolled search path element vulnerability. By placing a specially crafted file in a c…
- CVE-2026-27774MEDIUMCVSS 6.7EG 6.72026-04-02
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42902.
- CVE-2026-28704HIGHCVSS 7.8EG 7.82026-04-10
Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck.
- CVE-2026-28728MEDIUMCVSS 6.7EG 6.72026-04-02
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42902.
- CVE-2026-28760HIGHCVSS 7.8EG 7.82026-03-26
The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs. If a user is directed to place a crafted DLL with the installer, an arbitrary code may be executed with the administrator privi…
- CVE-2026-30478HIGHCVSS 8.8EG 8.82026-04-09
A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable.
- CVE-2026-3091HIGHCVSS 7.3EG 6.72026-02-24
An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files and conduct denial-of-service during installation by placing a malicious DLL in advance in th…
- CVE-2026-32172HIGHCVSS 8.0EG 8.02026-04-23
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
- CVE-2026-32323HIGHCVSS 7.3EG 7.32026-05-19
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applica…
- CVE-2026-32679HIGHCVSS 7.8EG 7.82026-04-23
The installers of LiveOn Meet Client for Windows (Downloader5Installer.exe and Downloader5InstallerForAdmin.exe) and the installers of Canon Network Camera Plugin (CanonNWCamPlugin.exe and CanonNWCamPluginForAdmin.exe) insecurely load Dyna…
- CVE-2026-34488HIGHCVSS 7.3EG 7.32026-04-23
IP Setting Software contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrative privileges.
- CVE-2026-34632HIGHCVSS 7.8EG 8.22026-04-15
Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this …
- CVE-2026-36574HIGHCVSS 7.8EG 7.82026-06-03
A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
- CVE-2026-3775HIGHCVSS 7.8EG 7.82026-04-01
The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because…
- CVE-2026-38972HIGHCVSS 7.8EG 7.82026-07-02
Notepad3 through 6.25.822.1 contains a DLL search-order hijacking vulnerability in the About-dialog code path in src/Notepad3.c. The application calls LoadLibrary(L"MSFTEDIT.DLL") with a bare DLL name, which allows a local attacker to plac…
- CVE-2026-40004MEDIUMCVSS 5.5EG 5.52026-05-07
There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges.
- CVE-2026-40031HIGHCVSS 7.8EG 7.82026-04-08
MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls without path qualification for vmmpyc, libMS…
- CVE-2026-40342CRITICALCVSS 9.9EG 9.92026-04-17
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separa…
- CVE-2026-4134HIGHCVSS 7.3EG 7.32026-04-15
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.
- CVE-2026-41373MEDIUMCVSS 6.1EG 6.12026-04-28
OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER via envir…
- CVE-2026-41567HIGHCVSS 7.2EG 7.22026-05-18
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, th…
- CVE-2026-4158HIGHCVSS 7.3EG 7.32026-04-11
KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obta…
- CVE-2026-42171HIGHCVSS 7.8EG 7.82026-04-24
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the …
- CVE-2026-44358HIGHCVSS 8.2EG 8.22026-05-28
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into…
- CVE-2026-44406MEDIUMCVSS 5.7EG 5.72026-05-07
ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.…
- CVE-2026-44609HIGHCVSS 7.3EG 7.32026-06-03
Local privilege escalation due to EXE hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
- CVE-2026-44612HIGHCVSS 7.8EG 7.82026-05-13
Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the…
Map vulnerabilities like CWE-427 to your infrastructure
EchelonGraph correlates every CVE — across CWE-427 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →