Home

Description

Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.

PUBLISHED Reserved 2025-04-16 | Published 2026-03-26 | Updated 2026-03-26 | Assigner INCIBE




HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-428 Unquoted search path or element

Product status

Default status
unaffected

3.06.36
affected

Credits

Rafael Pedrero finder

References

www.incibe.es/...-vulnerabilities-small-http-server-smallsrv patch

cve.org (CVE-2025-41359)

nvd.nist.gov (CVE-2025-41359)

Download JSON