{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25866", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-06T19:12:03.463Z", "datePublished": "2026-03-09T15:24:47.658Z", "dateUpdated": "2026-03-11T13:57:44.185Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-11T13:57:44.185Z"}, "title": "MobaXterm < 26.1 Notepad++ Unquoted Service Path", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-428", "description": "CWE-428 Unquoted search path or element", "type": "CWE"}]}], "affected": [{"vendor": "Mobatek", "product": "MobaXterm", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mobatek:mobaxterm:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1"}]}]}], "descriptions": [{"lang": "en", "value": "MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user."}]}], "references": [{"url": "https://mobaxterm.mobatek.net/download-home-edition.html", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Spektion Research Team", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:23:34.712351Z", "id": "CVE-2026-25866", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:23:49.736Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25866", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:23:34.712351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:23:43.394Z"}}], "cna": {"title": "MobaXterm < 26.1 Notepad++ Unquoted Service Path", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Spektion Research Team"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mobatek", "product": "MobaXterm", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://mobaxterm.mobatek.net/download-home-edition.html", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.", "supportingMedia": [{"type": "text/html", "value": "MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-428", "description": "CWE-428 Unquoted search path or element"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mobatek:mobaxterm:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "26.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-11T13:57:44.185Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25866", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:57:44.185Z", "dateReserved": "2026-02-06T19:12:03.463Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-09T15:24:47.658Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobatek:mobaxterm:*:*:*:*:home:*:*:*", "matchCriteriaId": "BADFA52B-4659-4447-8B67-B21BD019FB2F", "versionEndExcluding": "26.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user."}, {"lang": "es", "value": "Las versiones de MobaXterm anteriores a la 26.1 contienen una vulnerabilidad de elemento de ruta de b\u00fasqueda descontrolada. La aplicaci\u00f3n llama a WinExec para ejecutar Notepad++ sin una ruta de ejecutable completamente calificada al abrir archivos remotos. Un atacante puede explotar el comportamiento de la ruta de b\u00fasqueda al colocar un ejecutable malicioso antes en el orden de b\u00fasqueda, lo que resulta en ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del usuario afectado."}], "id": "CVE-2026-25866", "lastModified": "2026-05-06T14:23:35.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-09T16:16:18.970", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://mobaxterm.mobatek.net/download-home-edition.html"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MobaXterm", "source": "cna", "vendor": "Mobatek"}, "product": "mobaxterm", "vendor": "mobatek"}], "analysis": {"en": {"generated_at": "2026-04-16T03:59:36.038453+00:00", "value": {"mitigation_remediation": ["Upgrade MobaXterm to version\u202f26.1 or newer to eliminate the unquoted path behavior.", "Ensure that any use of launch utilities like WinExec is performed with fully qualified paths or that the PATH environment is restricted so that malicious binaries cannot be found before the intended executable.", "If an upgrade is not immediately possible, disable or remove the ability to open remote files through the affected application until the full\u2011path safeguard is implemented."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Mobatek MobaXterm client with versions prior to 26.1. Users running these legacy versions on Windows are at risk if they open remote files through the application. The issue is limited to the MobaXterm product itself and does not extend to other applications on the system.", "description_and_impact": "MobaXterm versions before 26.1 allow an attacker to run arbitrary code by exploiting an Unquoted Service Path weakness. When the application opens remote files, it calls WinExec on Notepad++ without providing a fully qualified path, meaning the operating system searches the user\u2019s PATH for the executable. An attacker can craft a malicious binary with the same name and place it earlier in the search order, causing it to be executed in the context of the current user. This flaw is a classic example of CWE\u2011428, where an application runs with a user\u2011supplied path that is not properly quoted or secured, leading to uncontrolled execution of executables.", "risk_and_exploitability": "The CVSS base score of 8.5 indicates a high severity. The EPSS score of less than 1\u202f% suggests that while the flaw is serious, it is not frequently exploited in the wild, possibly due to the need for the attacker to control the remote file system or path ordering. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker would need to have the ability to place a malicious executable earlier in the PATH before Notepad++ is invoked, which typically requires local or remote file write capabilities. Once achieved, the attacker obtains code execution privileges with the permissions of the user running MobaXterm."}}}}, "created": "2026-03-10T14:07:20.169991+00:00", "updated": "2026-04-16T04:00:09.468587+00:00", "vendors": ["mobatek", "mobatek$PRODUCT$mobaxterm"]}