Bug 2460200
| Summary: | CVE-2026-5789 civetweb: CivetWeb: Arbitrary code execution and privilege escalation via unquoted search path [epel-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Keith Grant <kgrant> |
| Component: | civetweb | Assignee: | Kaleb KEITHLEY <kkeithle> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | epel10 | CC: | kkeithle |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["d64d3f96-e6f9-41ee-ba19-4df8effd71ec"]} | ||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-04-27 18:30:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2460124 | ||
|
Description
Keith Grant
2026-04-21 18:09:43 UTC
See https://github.com/civetweb/civetweb/issues/1382 Since CivetWeb is utilized as an embedded component within your application, the underlying code does not inherently expose your software to this flaw. Your application would only be susceptible to this type of attack if the following conditions are met simultaneously during deployment: 1. Your application is registered as a Windows service. 2. The path where your application is installed contains spaces in the folder names (as typically occurs in C:\Archivos de programa\ or C:\Program Files). 3. The installation process or the script that registers your application’s service does not enclose the full executable path in quotation marks. Based on the above, closing as NOTABUG |