Bug 2460200 - CVE-2026-5789 civetweb: CivetWeb: Arbitrary code execution and privilege escalation via unquoted search path [epel-all]
Summary: CVE-2026-5789 civetweb: CivetWeb: Arbitrary code execution and privilege esca...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: civetweb
Version: epel10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Kaleb KEITHLEY
QA Contact:
URL:
Whiteboard: {"flaws": ["d64d3f96-e6f9-41ee-ba19-4...
Depends On:
Blocks: CVE-2026-5789
TreeView+ depends on / blocked
 
Reported: 2026-04-21 18:09 UTC by Keith Grant
Modified: 2026-04-27 18:30 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-04-27 18:30:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Keith Grant 2026-04-21 18:09:43 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Kaleb KEITHLEY 2026-04-27 18:30:13 UTC
See https://github.com/civetweb/civetweb/issues/1382

Since CivetWeb is utilized as an embedded component within your application, the underlying code does not inherently expose your software to this flaw. Your application would only be susceptible to this type of attack if the following conditions are met simultaneously during deployment:

    1. Your application is registered as a Windows service.
    2. The path where your application is installed contains spaces in the folder names (as typically occurs in C:\Archivos de programa\ or C:\Program Files).
    3. The installation process or the script that registers your application’s service does not enclose the full executable path in quotation marks.

Based on the above, closing as NOTABUG


Note You need to log in before you can comment on or make changes to this bug.