CVE-2026-4962
Received Received - Intake
Uncontrolled Search Path Vulnerability in UltraVNC Service.dll

Publication date: 2026-03-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs to be approached locally. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4962
EUVD
EUVD-2026-16725
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uvnc ultravnc From 1.6.0.0 (inc) to 1.6.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in UltraVNC up to version 1.6.4.0, specifically in the library version.dll of the Service component. It involves an uncontrolled search path manipulation, which means that the software may load malicious files from unintended locations. The attack requires local access and is considered highly complex and difficult to exploit. However, a public exploit is available.

Impact Analysis

Exploitation of this vulnerability can lead to complete compromise of confidentiality, integrity, and availability of the affected system. Since the attack requires local access and is complex, it may be limited to attackers who already have some level of access. Successful exploitation could allow an attacker to execute malicious code or manipulate the system in unauthorized ways.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart