OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

Impact The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the...

GHSA-9H8M-3FM2-QJRQ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

Impact The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the...

CVE-2026-24051

OpenTelemetry-Go SDK vulnerability CVE-2026-24051: The Go SDK (versions v1.20.0–1.39.0) is vulnerable on macOS/Darwin to PATH Hijacking via the resource detector in sdk/resource/host_id.go, which runs ioreg using a search path. An attacker able to modify PATH can achieve Arbitrary Code Execution ...

CVE-2026-24051 OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search pat...

CVE-2026-24051

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search pat...

CVE-2026-24051

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search pat...

CVE-2026-24051 OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search pat...

CVE-2026-24051 OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking Untrusted Search Paths on macOS/Darwin systems. The resource detection code in sdk/resource/hostid.go executes the ioreg system command using a search pat...

PT-2026-5718

Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go versions 1.20.0 through 1.39.0 Description The OpenTelemetry Go SDK versions 1.20.0 through 1.39.0 are susceptible to a path hijacking issue on macOS/Darwin systems. The resource detection code in sdk/resource/host id.go...

OpenTelemetry-Go 代码问题漏洞

OpenTelemetry-Go is an open-source developer toolkit developed by OpenTelemetry - CNCF. Versions of OpenTelemetry-Go from 1.20.0 to 1.39.0 have code vulnerabilities. These vulnerabilities stem from path hijacking during the execution of the ioreg command in resource detection code, which may lead...

CVE-2021-47898 Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability

Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMPUDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access...

CVE-2021-22037

Under certain circumstances, when manipulating the Windows registry, InstallBuilder uses the reg.exe system command. The full path to the command is not enforced, which results in a search in the search path until a binary can be identified. This makes the installer/uninstaller vulnerable to Path...

CVE-2021-22921

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PAT...

CVE-2025-40763

A vulnerability has been identified in Altair Grid Engine All versions V2026.0.0. Affected products do not properly validate environment variables when loading shared libraries, allowing path hijacking through malicious library substitution. This could allow a local attacker to execute arbitrary...

CVE-2025-14596

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro Installer SFX on Windows allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 24.1 through 24.3.1...

EUVD-2025-206250

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows Nios II Command Shell modules, Altera Quartus Prime Lite on Windows Nios II Command Shell modules allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Pri...

CVE-2025-14599

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer SFX on Windows, Altera Quartus Prime Lite Installer SFX on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1...

Altera Quartus Prime Pro 安全漏洞

Altera Quartus Prime Pro is an FPGA design software from Altera Corporation, USA. A security vulnerability exists in Altera Quartus Prime Pro versions 24.1 through 24.3.1, which originates from the presence of an uncontrolled search path element in the Windows installer, which could lead to searc...

CVE-2025-14599 Quartus® Prime Standard and Quartus® Prime Lite Security Advisory

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer SFX on Windows, Altera Quartus Prime Lite Installer SFX on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1...

CVE-2025-14605

CVE-2025-14605 affects Altera Quartus Prime Pro on Windows, specifically System Console modules, with versions 17.0 through 25.1.1 vulnerable to an Uncontrolled Search Path Element, enabling a Search Order Hijacking scenario. The root cause is the presence of an uncontrolled search path element t...