Skip to main content

CivetWeb CVE-2026-5789

| EUVDEUVD-2026-24138 HIGH
Unquoted Search Path or Element (CWE-428)
2026-04-21 INCIBE GHSA-9vxj-j2f7-9mgg
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 17:37 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVSS changed
Apr 21, 2026 - 15:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 15:00 euvd
EUVD-2026-24138
Analysis Generated
Apr 21, 2026 - 15:00 vuln.today
Patch released
Apr 21, 2026 - 15:00 nvd
Patch available
CVE Published
Apr 21, 2026 - 14:22 nvd
HIGH 8.5

DescriptionCVE.org

Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.

AnalysisAI

Local privilege escalation in CivetWeb v1.16 service allows authenticated users to execute arbitrary code with SYSTEM privileges via unquoted service path exploitation. The Windows service configuration lacks quotes around 'C:\Program Files\CivetWeb\CivetWeb.exe', enabling attackers to place malicious executables in directories scanned before the intended path (e.g., 'C:\Program.exe' or 'C:\Program Files\CivetWeb.exe'). No public exploit identified at time of analysis, though EPSS data not available. Patch available per vendor advisory from INCIBE.

Technical ContextAI

CivetWeb is an embedded C/C++ web server library commonly deployed as a Windows service. This vulnerability exploits CWE-428 (Unquoted Search Path or Element), a Windows-specific configuration flaw in service registry entries. When Windows executes a service path containing spaces without surrounding quotes, the Service Control Manager parses the path incorrectly, treating each space-separated token as a potential executable path. For 'C:\Program Files\CivetWeb\CivetWeb.exe', Windows attempts execution in order: 'C:\Program.exe', 'C:\Program Files\CivetWeb.exe', then the intended path. The CPE identifier (cpe:2.3:a:civetweb:civetweb:*:*:*:*:*:*:*:*) indicates the core CivetWeb library is affected across versions, though the description specifically identifies v1.16. This is a classic Windows privilege escalation primitive that requires write access to system directories, typically restricted to administrators but exploitable in misconfigured environments or through chained attacks.

RemediationAI

Vendor-released patch available per INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/search-path-without-quotes-civetweb - consult advisory for exact patched version and upgrade instructions. Primary fix: Upgrade CivetWeb to the patched version that correctly quotes the service executable path in registry configuration. Manual workaround (if immediate patching infeasible): Modify the Windows service registry entry to add quotes around the executable path using 'sc config [ServiceName] binPath= "C:\Program Files\CivetWeb\CivetWeb.exe"' from elevated command prompt, then restart service. Compensating control: Audit and restrict write permissions on C:\ and C:\Program Files\ directories to Administrators group only (remove write access for Users, Power Users groups) using icacls or Group Policy - trade-off is this may break legacy applications expecting lax permissions. Verify fix by checking registry key HKLM\SYSTEM\CurrentControlSet\Services\[CivetWebServiceName]\ImagePath contains quoted path. Organizations not using CivetWeb as a Windows service are not affected and require no action.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-5789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy