Severity : High Date : 2/3/2026 Product Affected : Sync Breeze Enterprise <= 12.4.18 CVE ID : 2020-37100 CWE ID : CWE-428 Unquoted Search Path or Element CVSS V3 Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS V4 Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References : - ExploitDB-48045 - Vendor Homepage Credit : boku Description : The unquoted service path vulnerability in Sync Breeze Enterprise 12.4.18 allows local attackers to execute arbitrary code with elevated privileges. Attackers can exploit this by placing malicious executables in specific file system locations, thereby hijacking the service startup process.