Search path without quotes in CivetWeb

Posted date 21/04/2026

Identificador

INCIBE-2026-297

Importance

4 - High

Affected Resources

CivetWeb v1.16.

Description

INCIBE has coordinated the disclosure of a high-severity vulnerability affecting CivetWeb, a web server. The vulnerability was discovered by Rafael Pedrero.

This vulnerability has been assigned the following identifier, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

CVE-2026-5789: CVSS v4.0: 8.5 | CVSS AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-428

Solution

The CivetWeb team has released a fix that addresses the reported vulnerability:

https://github.com/civetweb/civetweb/commit/3c0fb6ad582224b91959caf79a25dd98389c084d

However, it is still possible to exploit the vulnerability if the attacker has local access to the server and the ability to upload or delete files.

Detail

CVE-2026-5789: vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.

CVE

Identificador CVE	Severidad	Explotación	Fabricante
CVE-2026-5789	Alta	No	CivetWeb

References list

CivetWeb Embedded C/C++ web server

Etiquetas