Microsoft Windows Help (Winhlp32) contains an HLP file loading hijack vulnerability because programs that invokes help from HLP files passes relative paths, causing it to load HLP files from the directory in which it was started, if they exist. Proof of concept code included.
555250bab20bf8be89a3b9e62da9fd89d8bfae7044864dbc0df99dbc189d1d0e