Prey 1.9.6 - "CronService" Unquoted Service Path | Advisories

Advisories

Prey 1.9.6 - "CronService" Unquoted Service Path

severity: high
date: January 28, 2026
Affecting: Prey 1.9.6
CVE: CVE-2020-36986
CWE: CWE-428 Unquoted Search Path or Element
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-48967
Vendor Homepage
Credit: Ömer Tuygun
Description: Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot.