CVE-2025-41359

Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-26 13:16

Updated : 2026-03-26 21:04

NVD link : CVE-2025-41359

Mitre link : CVE-2025-41359

CVE.ORG link : CVE-2025-41359

JSON object : View

Products Affected

smallsrv

small_http_server

CWE

CWE-428

Unquoted Search Path or Element

{"id": "CVE-2025-41359", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T13:16:25.277", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-428"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\\Program Files (x86)\\shttps_mg\\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access."}, {"lang": "es", "value": "Vulnerabilidad relacionada con una ruta de servicio sin comillas en Small HTTP Server 3.06.36, afectando espec\u00edficamente al ejecutable ubicado en 'C:\\Program Files (x86)\\shttps_mg\\http.exe service'. Esta mala configuraci\u00f3n permite a un atacante local colocar un ejecutable malicioso con el mismo nombre en un directorio de mayor prioridad, haciendo que el servicio ejecute el archivo malicioso en lugar del leg\u00edtimo. Explotar esta falla podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo arbitrario, acceso no autorizado al sistema o interrupci\u00f3n del servicio. Para mitigar el riesgo, la ruta del servicio debe estar correctamente entrecomillada, y los sistemas deben mantenerse actualizados con los parches de seguridad, mientras se restringe el acceso f\u00edsico y de red."}], "lastModified": "2026-03-26T21:04:16.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59C8C025-8748-4B3B-81C4-AD59BE3D4EA9", "versionEndExcluding": "3.06.38", "versionStartIncluding": "3.06.36"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}