Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-426 (不可信的搜索路径) — Vulnerability Class 194

194 vulnerabilities classified as CWE-426 (不可信的搜索路径). AI Chinese analysis included.

CWE-426 represents a critical input validation weakness where software relies on an externally-supplied search path to locate essential resources, such as executables or configuration files, rather than using absolute paths or trusted directories. Attackers typically exploit this vulnerability by manipulating the environment variable or system path to point to malicious code placed in a directory with higher precedence than the legitimate resource location. This allows them to execute arbitrary programs, access unauthorized data, or alter configurations unexpectedly, effectively achieving privilege escalation or remote code execution. To prevent this, developers must enforce strict path validation, utilize absolute paths for critical resources, and implement secure coding practices that restrict search directories to trusted, controlled locations. Additionally, applying the principle of least privilege ensures that even if an attacker manipulates the path, they cannot execute harmful code due to insufficient permissions.

MITRE CWE Description
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the product uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted product would then execute. The problem extends to any type of critical resource that the product trusts. Some of the most common variants of untrusted search path are: In various UNIX and Linux-based systems, the PATH environment variable may be consulted to locate executable programs, and LD_PRELOAD may be used to locate a separate library. In various Microsoft-based systems, the PATH environment variable is consulted to locate a DLL, if the DLL is not found in other paths that appear earlier in the search order.
Common Consequences (3)
Integrity, Confidentiality, Availability, Access ControlGain Privileges or Assume Identity, Execute Unauthorized Code or Commands
There is the potential for arbitrary code execution with privileges of the vulnerable program.
AvailabilityDoS: Crash, Exit, or Restart
The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.
ConfidentialityRead Files or Directories
The program could send the output of unauthorized files to the attacker.
Mitigations (5)
Architecture and Design, ImplementationHard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
ImplementationWhen invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code ref…
ImplementationRemove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
ImplementationCheck your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
ImplementationUse other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
Examples (2)
This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system.
#define DIR "/restricted/directory" char cmd[500]; sprintf(cmd, "ls -l %480s", DIR); /* Raise privileges to those needed for accessing DIR. */ RaisePrivileges(...); system(cmd); DropPrivileges(...); ...
Bad · C
The user sets the PATH to reference a directory under the attacker's control, such as "/my/dir/". The attacker creates a malicious program called "ls", and puts that program in /my/dir The user executes the program. When system() is executed, the shell consults the PATH to find the ls program The program finds the attacker's malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because PATH does not contain "/bin/". The program executes the attacker's malicious program with the raised privileges.
Attack
The following code from a system utility uses the system property APPHOME to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
... String home = System.getProperty("APPHOME"); String cmd = home + INITCMD; java.lang.Runtime.getRuntime().exec(cmd); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-7309 Openshift-controller-manager: openshift container platform: information disclosure via environment variable injection — Red Hat OpenShift Container Platform 4 4.3 Medium2026-04-28
CVE-2026-35368 uutils coreutils chroot Local Privilege Escalation and chroot Escape in via Name Service Switch (NSS) Injection — coreutils 7.2 High2026-04-22
CVE-2026-35603 Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows — claude-code 7.3AIHighAI2026-04-17
CVE-2026-40947 Yubico多款产品 安全漏洞 — libfido2 2.9 Low2026-04-15
CVE-2026-27290 Adobe Framemaker | Untrusted Search Path (CWE-426) — Adobe Framemaker 8.6 High2026-04-14
CVE-2026-39883 OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking — opentelemetry-go 9.8AICriticalAI2026-04-08
CVE-2025-39666 omd: Local privilege escalation when executing omd commands as root — Checkmk 7.8AIHighAI2026-04-07
CVE-2022-4987 Hirschmann Industrial HiVision External Application Path Hijacking Leading to Arbitrary Code Execution — Hirschmann Industrial HiVision 7.3 High2026-04-03
CVE-2026-3780 Foxit PDF Editor/Reader Installer Uncontrolled Search Path Privilege Escalation — Foxit PDF Reader 7.3 High2026-04-01
CVE-2026-33156 DLL Sideloading in ScreenToGif — ScreenToGif 7.8 High2026-03-20
CVE-2026-25792 Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin — greenshot 6.5 Medium2026-03-20
CVE-2026-32032 OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable — OpenClaw 7.8 High2026-03-19
CVE-2026-32016 OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS — OpenClaw 7.8 High2026-03-19
CVE-2026-32015 OpenClaw 2026.1.21 < 2026.2.19 - PATH Hijacking Bypass in tools.exec.safeBins Allowlist Validation — OpenClaw 7.8 High2026-03-19
CVE-2026-32009 OpenClaw < 2026.2.24 - Binary Hijacking via Static Default Trusted Directories in safeBins — OpenClaw 5.7 Medium2026-03-19
CVE-2026-21333 Illustrator | Untrusted Search Path (CWE-426) — Illustrator 8.6 High2026-03-10
CVE-2026-25190 Windows GDI Remote Code Execution Vulnerability — Windows 10 Version 1607 7.8 High2026-03-10
CVE-2026-29089 TimescaleDB uses untrusted search path during extension upgrade — timescaledb 8.8 High2026-03-06
CVE-2026-2998 eAI Technologies|ERP - DLL Hijacking — ERP F2 7.8 High2026-02-23
CVE-2026-25926 Notepad++ has an Untrusted Search Path — notepad-plus-plus 7.3 High2026-02-18
CVE-2026-25880 Untrusted Search Path in SumatraPDF Reader (explorer.exe on Windows) — sumatrapdf 7.8 High2026-02-09
CVE-2025-15321 Tanium addressed an improper input validation vulnerability in Tanium Appliance. — Tanium Appliance 2.7 Low2026-02-05
CVE-2025-13491 IBM App Connect Enterprise Certified Container Information Disclosure — App Connect Enterprise Certified Container 5.1 Medium2026-02-05
CVE-2026-0662 Untrusted Search Path Vulnerability when opening max Files — 3ds Max 7.8 High2026-02-04
CVE-2025-65078 Untrusted search path vulnerability in Embedded Solutions Framework — MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ 8.8AIHighAI2026-02-03
CVE-2026-24051 OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking — opentelemetry-go 7.0 High2026-02-02
CVE-2026-24070 Local Privilege Escalation via DYLIB Injection in Native Instruments Native Access — Native Access 5.5AIMediumAI2026-02-02
CVE-2026-23512 SumatraPDF has an Untrusted Search Path in sumatrapdf/src/AppTools.cpp — sumatrapdf 8.6 High2026-01-14
CVE-2026-21280 Illustrator | Untrusted Search Path (CWE-426) — Illustrator 8.6 High2026-01-13
CVE-2026-20943 Microsoft Office Click-To-Run Remote Code Execution Vulnerability — Microsoft Office 2016 7.0 High2026-01-13

Vulnerabilities classified as CWE-426 (不可信的搜索路径) represent 194 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.