Unquoted Search Path Vulnerability in CivetWeb by CivetWeb
CVE-2026-5789

8.5HIGH

Key Information:

Vendor: Civetweb
Status: Civetweb
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-5789?

The vulnerability in CivetWeb v1.16 is characterized by an unquoted search path issue that allows local attackers to execute arbitrary code with elevated privileges. This occurs when a malicious executable is placed in a directory that is scanned prior to the intended application path, specifically due to the lack of quotes in the service configuration. As a result, if exploited, this could lead to significant security breaches, allowing unauthorized users to take control of the affected application.

Affected Version(s)

CivetWeb 1.16

References

https://www.incibe.es/en/incibe-cert/notices/aviso/search...

patch

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Rafael Pedrero

CVE-2026-5789 Data

JSON

Civetweb

What is CVE-2026-5789?

Affected Version(s)

References

CVSS V4

Timeline

Credit