Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Search path without quotes in CivetWeb

Posted date 21/04/2026
Identificador
INCIBE-2026-297
Importance
4 - High
Affected Resources

CivetWeb v1.16.

Description

INCIBE has coordinated the disclosure of a high-severity vulnerability affecting CivetWeb, a web server. The vulnerability was discovered by Rafael Pedrero.

This vulnerability has been assigned the following identifier, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2026-5789: CVSS v4.0: 8.5 | CVSS AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-428
Solution

No solution has been reported yet.

Detail

CVE-2026-5789: vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.

CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-5789 Alta No CivetWeb
References list
CivetWeb Embedded C/C++ web server
Etiquetas