CVE-2026-4962
Uncontrolled Search Path Vulnerability in UltraVNC Service.dll
Publication date: 2026-03-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uvnc | ultravnc | From 1.6.0.0 (inc) to 1.6.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in UltraVNC up to version 1.6.4.0, specifically in the library version.dll of the Service component. It involves an uncontrolled search path manipulation, which means that the software may load malicious files from unintended locations. The attack requires local access and is considered highly complex and difficult to exploit. However, a public exploit is available.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to complete compromise of confidentiality, integrity, and availability of the affected system. Since the attack requires local access and is complex, it may be limited to attackers who already have some level of access. Successful exploitation could allow an attacker to execute malicious code or manipulate the system in unauthorized ways.