ByteOS Network

CVE Vulnerability Details :

CVE-2025-32778

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-15 Apr, 2025 | 20:19

Updated At-15 Apr, 2025 | 20:31

▼CVE Numbering Authority (CNA)

Web-Check allows command Injection via Unvalidated URL in Screenshot API

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

Affected Products

Vendor

Lissy93

Product

web-check

Versions

Affected

< 2.0.1

Problem Types

Type	CWE ID	Description
CWE	CWE-78	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Metrics

Version	Base score	Base severity	Vector
4.0	9.3	CRITICAL	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Hyperlink	Resource
https://github.com/Lissy93/web-check/security/advisories/GHSA-5qg5-g7c2-pfx8	x_refsource_CONFIRM
https://github.com/Lissy93/web-check/pull/243	x_refsource_MISC
https://github.com/Lissy93/web-check/commit/0e4958aa10b2650d32439a799f6fc83a7cd46cef	x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References