Mobatek MobaXterm Home Edition msimg32.dll uncontrolled search path
Summary
| CVE | CVE-2026-6421 |
|---|---|
| State | PUBLISHED |
| Assigner | VulDB |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-17 06:16:30 UTC |
| Updated | 2026-04-17 06:16:30 UTC |
| Description | A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library msimg32.dll. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 26.2 is able to mitigate this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. |
Risk And Classification
Primary CVSS: v4.0 7.3 HIGH from [email protected]
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000050000 probability, percentile 0.002640000 (date 2026-04-18)
Problem Types: CWE-426 | CWE-427 | CWE-427 Uncontrolled Search Path | CWE-426 Untrusted Search Path
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.3 | HIGH | CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/C... |
| 4.0 | CNA | DECLARED | 7.3 | HIGH | CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
| 3.1 | [email protected] | Primary | 7 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
| 3.0 | CNA | DECLARED | 7 | HIGH | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
| 2.0 | [email protected] | Secondary | 6 | AV:L/AC:H/Au:S/C:C/I:C/A:C | |
| 2.0 | CNA | DECLARED | 6 | AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
HighAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.0 Breakdown
Attack Vector
LocalAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Mobatek | MobaXterm Home Edition | affected 26.0 | Not specified |
| CNA | Mobatek | MobaXterm Home Edition | affected 26.1 | Not specified |
| CNA | Mobatek | MobaXterm Home Edition | unaffected 26.2 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| vuldb.com/vuln/358020 | [email protected] | vuldb.com | |
| download.mobatek.net/2622026032581854/MobaXterm_Installer_v26.2.zip | [email protected] | download.mobatek.net | |
| mobaxterm.mobatek.net/download-home-edition.html | [email protected] | mobaxterm.mobatek.net | |
| drive.google.com/file/d/17bbNDzfoD3NNPlUMkSYs8bVzVbbwddnU/view | [email protected] | drive.google.com | |
| vuldb.com/vuln/358020/cti | [email protected] | vuldb.com | |
| vuldb.com/submit/778851 | [email protected] | vuldb.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: haehanse (VulDB User) (en)
CNA: VulDB CNA Team (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-03T00:00:00.000Z | Countermeasure disclosed |
| CNA | 2026-04-17T00:00:00.000Z | Advisory disclosed |
| CNA | 2026-04-17T02:00:00.000Z | VulDB entry created |
| CNA | 2026-04-17T07:35:49.000Z | VulDB entry last update |
There are currently no legacy QID mappings associated with this CVE.