Skip to main content

CWE-427

Uncontrolled Search Path Element

887 CVEs Avg CVSS 7.3 MITRE
21
CRITICAL
657
HIGH
203
MEDIUM
2
LOW
86
POC
2
KEV

Monthly

CVE-2026-5674 HIGH This Week

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
8.8
CVE-2026-42936 HIGH This Week

Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.

RCE Hyper Sbi 2
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-48272 HIGH This Week

Local arbitrary code execution in Adobe Creative Cloud Desktop lets a low-privileged user run code in the context of the current user by exploiting an uncontrolled search path (CWE-427) — the class of flaw where an application loads a library or executable from an attacker-influenced directory. Adobe (CVE-2026-48272) rates it CVSS 7.8, but the vector is local with high attack complexity and requires existing low-level privileges, and exploitation depends on conditions beyond the attacker's control. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a defense-in-depth patch rather than an emergency.

RCE Creative Cloud Desktop
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0487 HIGH This Week

Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because SAProuter typically runs as a persistent network gateway service, successful exploitation can compromise a strategically positioned host in an SAP landscape.

RCE Microsoft Saprouter On Microsoft Windows
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-48363 HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.

RCE Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-48364 HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

RCE Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-15515 MEDIUM POC This Month

Local privilege/impact abuse in Tencent PC Manager 18.1.30242.301 stems from an uncontrolled search path (CWE-427) in the QMUDisk kernel driver library qmudisk64.sys, letting a low-privileged local user coerce loading of an attacker-controlled library to achieve high confidentiality, integrity, and availability impact. Publicly available exploit code exists (the 'qmukiller' proof-of-concept on GitHub), but exploitation is rated high-complexity/difficult and requires local access with existing low-level privileges. No public exploit has been tied to active in-the-wild attacks, and the vendor did not respond to the disclosure, so no fix is currently available.

Information Disclosure Pc Manager
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-57239 HIGH This Week

Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.

Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-56437 HIGH This Week

Local privilege escalation to arbitrary code execution affects Fuji Electric's Pupsman UPS management software in all versions prior to 3.9.0, where the installer insecurely loads a DLL from its own directory. A local attacker who can drop a malicious DLL into the folder containing the installer can have it executed with SYSTEM privilege the next time the installer is run. No public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitation requires local file placement plus a victim executing the installer (UI:A).

RCE Pupsman
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-38972 HIGH This Week

Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. No public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local, user-interaction-dependent flaw rather than a mass-exploitation target.

RCE Notepad3
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVSS 8.8
HIGH This Week

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 +2
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.

RCE Hyper Sbi 2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local arbitrary code execution in Adobe Creative Cloud Desktop lets a low-privileged user run code in the context of the current user by exploiting an uncontrolled search path (CWE-427) — the class of flaw where an application loads a library or executable from an attacker-influenced directory. Adobe (CVE-2026-48272) rates it CVSS 7.8, but the vector is local with high attack complexity and requires existing low-level privileges, and exploitation depends on conditions beyond the attacker's control. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a defense-in-depth patch rather than an emergency.

RCE Creative Cloud Desktop
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because SAProuter typically runs as a persistent network gateway service, successful exploitation can compromise a strategically positioned host in an SAP landscape.

RCE Microsoft Saprouter On Microsoft Windows
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.

RCE Coldfusion
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

RCE Coldfusion
NVD
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Local privilege/impact abuse in Tencent PC Manager 18.1.30242.301 stems from an uncontrolled search path (CWE-427) in the QMUDisk kernel driver library qmudisk64.sys, letting a low-privileged local user coerce loading of an attacker-controlled library to achieve high confidentiality, integrity, and availability impact. Publicly available exploit code exists (the 'qmukiller' proof-of-concept on GitHub), but exploitation is rated high-complexity/difficult and requires local access with existing low-level privileges. No public exploit has been tied to active in-the-wild attacks, and the vendor did not respond to the disclosure, so no fix is currently available.

Information Disclosure Pc Manager
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.

Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation to arbitrary code execution affects Fuji Electric's Pupsman UPS management software in all versions prior to 3.9.0, where the installer insecurely loads a DLL from its own directory. A local attacker who can drop a malicious DLL into the folder containing the installer can have it executed with SYSTEM privilege the next time the installer is run. No public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitation requires local file placement plus a victim executing the installer (UI:A).

RCE Pupsman
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. No public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local, user-interaction-dependent flaw rather than a mass-exploitation target.

RCE Notepad3
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy