Cyber Resilience

CVE-2026-5789

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5789 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Civetweb Project Civetweb. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5789 is an unquoted search path vulnerability (CWE-428) affecting CivetWeb version 1.16. The issue stems from the service configuration lacking quotes around the executable path "C:\Program Files\CivetWeb\CivetWeb.exe", causing the system to scan preceding directories for matching executables during service startup.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By placing a malicious executable named CivetWeb.exe in a directory scanned before C:\Program Files\CivetWeb, the attacker achieves arbitrary code execution with elevated privileges, potentially compromising confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/search-path-without-quotes-civetweb provides details on the vulnerability, including recommendations for mitigation.

EU & UK References

Vulnerability details

Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program…

more

Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path vulnerability directly enables path interception by allowing placement of malicious executable in preceding directories during service startup, matching T1574.009.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428
CVE-2021-47790Shared CWE-428

Affected Assets

civetweb project
civetweb
1.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces secure configuration settings for services, requiring quoted executable paths to directly prevent unquoted search path hijacking in CivetWeb service configurations.

prevent

Provides for identification, reporting, and remediation of flaws like CVE-2026-5789, including applying fixes such as quoting service paths or patching CivetWeb.

prevent

Enforces least privilege on services like CivetWeb, limiting the impact of privilege escalation even if an attacker exploits the unquoted path vulnerability.

References