ByteOS Network

NVD Vulnerability Details :

CVE-2025-6775

Analyzed

Source-cna@vuldb.com

Published At-27 Jun, 2025 | 20:15

Updated At-30 Jan, 2026 | 00:38

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary	3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary	2.0	6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P

Type: Secondary

Version: 4.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Type: Primary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 2.0

Base score: 6.5

Base severity: MEDIUM

Vector:

AV:N/AC:L/Au:S/C:P/I:P/A:P

CPE Matches

xiaoyunjie>>openvpn-cms-flask>>Versions before 1.2.8(exclusive)

cpe:2.3:a:xiaoyunjie:openvpn-cms-flask:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-74	Secondary	cna@vuldb.com
CWE-77	Secondary	cna@vuldb.com
CWE-77	Primary	nvd@nist.gov

CWE ID: CWE-74

Type: Secondary

Source: cna@vuldb.com

CWE ID: CWE-77

Type: Secondary

Source: cna@vuldb.com

CWE ID: CWE-77

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://github.com/xiaoyunjie/openvpn-cms-flask/commit/e23559b98c8ea2957f09978c29f4e512ba789eb6	cna@vuldb.com	Patch
https://github.com/xiaoyunjie/openvpn-cms-flask/issues/24	cna@vuldb.com	Exploit Issue Tracking Vendor Advisory
https://github.com/xiaoyunjie/openvpn-cms-flask/issues/24#issuecomment-2948563464	cna@vuldb.com	Exploit Issue Tracking Vendor Advisory
https://github.com/xiaoyunjie/openvpn-cms-flask/releases/tag/v1.2.8	cna@vuldb.com	Release Notes
https://vuldb.com/?ctiid.314091	cna@vuldb.com	Permissions Required VDB Entry
https://vuldb.com/?id.314091	cna@vuldb.com	Third Party Advisory VDB Entry
https://vuldb.com/?submit.602373	cna@vuldb.com	Third Party Advisory VDB Entry