Search Results (2564 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-60320 1 Memoq 1 Memoq 2026-04-15 6.7 Medium
memoQ 10.1.13.ef1b2b52aae and earlier contains an unquoted service path vulnerability in the memoQ Auto Update Service (memoQauhlp101). The affected service is installed with a path containing spaces and without surrounding quotes. This misconfiguration allows local users to escalate privileges to SYSTEM by placing a malicious executable at C:\Program.exe.
CVE-2025-62225 2 Microsoft, Sony 2 Windows, Optical Disc Archive Software 2026-04-15 N/A
Optical Disc Archive Software provided by Sony Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
CVE-2025-62820 1 Slack 1 Nebula 2026-04-15 4.9 Medium
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
CVE-2025-66432 1 Oxide 1 Omicron 2026-04-15 5 Medium
In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.
CVE-2025-66461 1 Gs Yuasa International 1 Fullback Manager Pro 2026-04-15 N/A
FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed.
CVE-2025-9267 2 Microsoft, Seagate 2 Windows, Toolkit 2026-04-15 N/A
In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their origin or integrity. This behavior can be exploited by placing a malicious DLL in the same directory as the installer executable, leading to arbitrary code execution with the privileges of the user running the installer. The issue stems from the use of insecure DLL loading practices, such as relying on relative paths or failing to specify fully qualified paths when invoking system libraries.
CVE-2025-9818 2 Microsoft, Omron 2 Windows, Poweract Pro Master Agent 2026-04-15 6.7 Medium
A vulnerability (CWE-428) has been identified in the Uninterruptible Power Supply (UPS) management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd., where the executable file paths of Windows services are not enclosed in quotation marks. If the installation folder path of this product contains spaces, there is a possibility that unauthorized files may be executed under the service privileges by using paths containing spaces.
CVE-2025-9844 2 Microsoft, Salesforce 2 Windows, Cli 2026-04-15 8.8 High
Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.
CVE-2025-0712 1 Elastic 1 Apm Server 2026-04-15 7 High
An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges.
CVE-2025-10714 1 Axis 1 Optimizer 2026-04-15 8.4 High
AXIS Optimizer was vulnerable to an unquoted search path vulnerability, which could potentially lead to privilege escalation within Microsoft Windows operating system. This vulnerability can only be exploited if the attacker has access to the local Windows machine and sufficient access rights (administrator) to write data into the installation path of AXIS Optimizer.
CVE-2025-11772 1 Synaptics 1 Fingerprint Driver 2026-04-15 6.6 Medium
A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation.
CVE-2025-49642 1 Zabbix 1 Zabbix-agent 2026-04-15 N/A
Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.
CVE-2025-64772 1 Sony 1 Inzone Hub 2026-04-15 N/A
The installer of INZONE Hub 1.0.10.3 to 1.0.17.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer.
CVE-2025-57781 1 Denso Ten 1 Drive Recorder Viewer 2026-04-15 N/A
The installers of DENSO TEN drive recorder viewer contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer.
CVE-2019-25281 1 Ncp-e 1 Ncp Secure Entry Client 2026-04-15 7.8 High
NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup.
CVE-2019-25283 1 Shrew 1 Vpn Client 2026-04-15 7.8 High
Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot.
CVE-2019-25285 1 Alps 1 Pointing-device Controller 2026-04-15 7.8 High
Alps Pointing-device Controller 8.1202.1711.04 contains an unquoted service path vulnerability in the ApHidMonitorService that allows local attackers to execute code with elevated privileges. Attackers can place a malicious executable in the service path and gain system-level access when the service restarts or the system reboots.
CVE-2019-25286 1 Gcafe 1 Gcafe 2026-04-15 7.8 High
GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions.
CVE-2019-25287 1 Lavasoft 1 Web Companion 2026-04-15 7.8 High
Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code that would execute with LocalSystem privileges during service startup.
CVE-2019-25288 1 Wacom 1 Wtabletservice 2026-04-15 7.8 High
Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots.