Total
408 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41359 | 1 Smallsrv | 1 Small Http Server | 2026-03-26 | N/A | 7.8 HIGH |
| Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access. | |||||
| CVE-2026-33253 | 2026-03-25 | N/A | 6.7 MEDIUM | ||
| SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. registers Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege. | |||||
| CVE-2017-20218 | 2026-03-16 | N/A | 7.8 HIGH | ||
| Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot. | |||||
| CVE-2026-25866 | 2026-03-11 | N/A | 7.8 HIGH | ||
| MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user. | |||||
| CVE-2026-26033 | 1 Dell | 1 Ups Multi-ups Management Console | 2026-03-09 | N/A | 6.7 MEDIUM |
| UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Unquoted Search Path or Element (CWE-428) vulnerability, which allows a user with write access to a directory on the system drive to execute arbitrary code with SYSTEM privileges. | |||||
| CVE-2026-26034 | 1 Dell | 1 Ups Multi-ups Management Console | 2026-03-09 | N/A | 7.8 HIGH |
| UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Incorrect Default Permissions (CWE-276) vulnerability that allows an attacker to execute arbitrary code with SYSTEM privileges by causing the application to load a specially crafted DLL. | |||||
| CVE-2026-1585 | 2026-03-03 | N/A | 6.7 MEDIUM | ||
| An unquoted Windows service executable path vulnerability in IJ Scan Utility for Windows versions 1.1.2 through 1.5.0 may allow a local attacker to execute a malicious file with the privileges of the affected service. | |||||
| CVE-2022-50923 | 1 Cobiansoft | 1 Cobian Backup | 2026-03-02 | N/A | 7.8 HIGH |
| Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup. | |||||
| CVE-2022-50917 | 1 Proton | 1 Protonvpn | 2026-03-02 | N/A | 7.8 HIGH |
| ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup. | |||||
| CVE-2022-50915 | 1 Primera | 1 Ptpublisher | 2026-03-02 | N/A | 7.8 HIGH |
| PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access. | |||||
| CVE-2019-25308 | 1 Mikogo | 1 Mikogo | 2026-02-26 | N/A | 7.8 HIGH |
| Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific path locations. | |||||
| CVE-2019-25261 | 1 Anydesk | 1 Anydesk | 2026-02-25 | N/A | 7.8 HIGH |
| AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges. | |||||
| CVE-2025-12286 | 2026-02-24 | 6.0 MEDIUM | 7.0 HIGH | ||
| A weakness has been identified in VeePN up to 1.6.2. This affects an unknown function of the file C:\Program Files (x86)\VeePN\avservice\avservice.exe of the component AVService. This manipulation causes unquoted search path. The attack requires local access. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2020-37100 | 1 Flexense | 1 Syncbreeze | 2026-02-20 | N/A | 7.8 HIGH |
| Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service startup process. | |||||
| CVE-2026-2542 | 2026-02-18 | 6.0 MEDIUM | 7.0 HIGH | ||
| A weakness has been identified in Total VPN 0.5.29.0 on Windows. Affected by this vulnerability is an unknown functionality of the file C:\Program Files\Total VPN\win-service.exe. Executing a manipulation can lead to unquoted search path. It is possible to launch the attack on the local host. This attack is characterized by high complexity. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2019-25267 | 1 Wftpserver | 1 Wing Ftp Server | 2026-02-18 | N/A | 7.8 HIGH |
| Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | |||||
| CVE-2025-59888 | 1 Eaton | 1 Ups Companion | 2026-02-18 | N/A | 6.7 MEDIUM |
| Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | |||||
| CVE-2019-25345 | 2026-02-13 | N/A | 7.8 HIGH | ||
| Realtek IIS Codec Service 6.4.10041.133 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service configuration to inject malicious executables and escalate privileges on the system. | |||||
| CVE-2019-25309 | 2026-02-11 | N/A | 7.8 HIGH | ||
| Zilab Remote Console Server 3.2.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be run with LocalSystem permissions. | |||||
| CVE-2019-25307 | 2026-02-11 | N/A | 7.8 HIGH | ||
| WorkgroupMail 7.5.1 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | |||||