Vendor

Yandex

1 brief RSS

CVE-2026-25865: Punto Switcher Unquoted Search Path Vulnerability

CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.

Punto Switcher privilege-escalation local-exploitation windows software-vulnerability path-interception

2r 2t 2d ago