CVE-2018-12449
CVE-2018-12449 is a high-severity vulnerability in Navercorp Whale with a CVSS 3.x base score of 7.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-426.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 1% (55th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-426
- Affected product: Navercorp Whale
- Published:
- Last modified:
Description
The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking.
Frequently asked questions
- What is CVE-2018-12449?
- The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking.
- How severe is CVE-2018-12449?
- CVE-2018-12449 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-12449 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (55th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2018-12449?
- CVE-2018-12449 affects Navercorp Whale. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2018-12449?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2018-12449 published?
- CVE-2018-12449 was published on 2018-10-11 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:navercorp:whale:*:*:*:*:*:*:*:*
More vulnerabilities in Navercorp Whale
- CVE-2025-62583 — Critical (CVSS 9.8): Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
- CVE-2025-53599 — Critical (CVSS 9.8): Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted…
- CVE-2022-24074 — Critical (CVSS 9.8): Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from…
- CVE-2025-69234 — Critical (CVSS 9.1): Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment.
- CVE-2018-9859 — High (CVSS 8.1): The path of Whale update service was unquoted in NAVER Whale before 1.0.40.7. This vulnerability can be used for…
- CVE-2017-15913 — High (CVSS 7.8): The Installer in Whale allows DLL hijacking.
All CVEs affecting Navercorp Whale →
Other CWE-426 (Untrusted Search Path) vulnerabilities
- CVE-2026-45772 — Critical (CVSS 9.8): Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14,…
- CVE-2025-26155 — Critical (CVSS 9.8): NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path…
- CVE-2024-53866 — Critical (CVSS 9.8): The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one…
- CVE-2024-38462 — Critical (CVSS 9.8): iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the…
- CVE-2023-30330 — Critical (CVSS 9.8): SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function…
- CVE-2022-24826 — Critical (CVSS 9.8): On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and…
Browse all CWE-426 (Untrusted Search Path) vulnerabilities →