Description
The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious DLL file and the installer to the same directory and execute the installer, arbitrary code may be executed with the installer's execution privilege.
Published: 2026-02-26
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Apply Patch
AI Analysis

Impact

The FinalCode Client installer from Digital Arts Inc. is vulnerable because it uses a DLL search path that can be manipulated. If an attacker or a privileged user places a malicious DLL file into the same directory as the installer and runs the installer, the malicious code will be loaded and executed with the installer’s privileges. This flaw is a classic example of DLL Search Path Manipulation, identified as CWE‑427, allowing attackers to gain executable control over the installation process.

Affected Systems

Both the FinalCode Ver.5 and Ver.6 series produced by Digital Arts Inc. are affected. Users running these installers on any Windows platform where the installer is executed from a directory containing a malicious DLL are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.4 and a very low EPSS score of less than 1%, indicating that while the flaw is severe, the likelihood of exploitation is low and it has not been reported in the CISA KEV catalog. The attack vector is inferred to be local – the attacker must have the ability to place files in the installer’s directory and execute the installer, so it typically requires either a privileged user or compromised credentials. If achieved, the attacker can run arbitrary code with the installer’s execution privilege.

Generated by OpenCVE AI on April 18, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain the latest FinalCode installer from Digital Arts Inc. that resolves the DLL search path flaw
  • Run the updated installer from a trusted directory that contains no user‑supplied DLLs
  • Verify that the installation completes without any prompts to load external DLLs

Generated by OpenCVE AI on April 18, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Title FinalCode Client Installer DLL Search Path Manipulation Allows Arbitrary Code Execution

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Digital Arts
Digital Arts finalcode Ver.5 Series
Digital Arts finalcode Ver.6 Series
Vendors & Products Digital Arts
Digital Arts finalcode Ver.5 Series
Digital Arts finalcode Ver.6 Series

Thu, 26 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious DLL file and the installer to the same directory and execute the installer, arbitrary code may be executed with the installer's execution privilege.
Weaknesses CWE-427
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Digital Arts Finalcode Ver.5 Series Finalcode Ver.6 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-26T14:24:33.596Z

Reserved: 2026-02-12T07:13:34.985Z

Link: CVE-2026-25191

cve-icon Vulnrichment

Updated: 2026-02-26T14:24:27.690Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T06:17:16.200

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses