Description
Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.
Published: 2026-04-21
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

This vulnerability is a local privilege escalation flaw that arises from an unquoted search path in CivetWeb 1.16. The service configuration concatenates directories before the intended application path, so when a malicious executable is placed in a preceding directory, it can be executed with the same privileges as the CivetWeb service. An attacker who can write files to any of these directories can therefore run arbitrary code with elevated privileges on the system.

Affected Systems

CivetWeb version 1.16 on Windows platforms where the CivetWeb service is installed. The flaw is linked to the typical installation path C:\Program Files\CivetWeb\CivetWeb.exe and the ability of the service to search preceding directories on the file system.

Risk and Exploitability

The flaw carries a CVSS score of 8.5, indicating a high severity risk. EPSS data is not available, but the lack of a published patch and the critical impact suggest that exploitation is plausible if an attacker can write to the relevant directories. The vulnerability is not listed in CISA’s KEV catalog, yet the local nature of the attack may appeal to attackers targeting compromised systems or exploiting privileged service configurations.

Generated by OpenCVE AI on April 21, 2026 at 22:47 UTC.

Remediation

Vendor Solution

No solution has been reported yet.

OpenCVE Recommended Actions

  • Verify that CivetWeb 1.16 is installed and that the service configuration does not include the "CivetWeb.exe" decision path unquoted.
  • Restrict write permissions on any directories that are scanned before the CivetWeb executable, so that only privileged users can place executables there.
  • Modify the service installation or configuration to quote the executable path or to move the service to a directory that does not involve concatenation of unquoted segments.
  • Continuously monitor system logs for unexpected execution of binaries originating from unexpected directories and investigate promptly.

Generated by OpenCVE AI on April 21, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:civetweb_project:civetweb:1.16:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Civetweb Project
Civetweb Project civetweb
Vendors & Products Civetweb Project
Civetweb Project civetweb

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.
Title Search path without quotes in CivetWeb
Weaknesses CWE-428
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Civetweb Project Civetweb
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-21T19:27:53.853Z

Reserved: 2026-04-08T12:34:46.460Z

Link: CVE-2026-5789

cve-icon Vulnrichment

Updated: 2026-04-21T19:27:50.585Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T15:16:37.713

Modified: 2026-04-22T17:36:36.280

Link: CVE-2026-5789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:24Z

Weaknesses