CVE-2025-57633CRITICAL 9.8EPSS p70.3%

CVE-2025-57633CVE-2025-57633

Description

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftp_file parameter and executes it using os.system() without sanitization or escaping.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.47% probability of exploitation · percentile 70.3% · 2026-06-19T12:03:05Z
Published2025-09-09
Last modified2026-04-15

Underlying weaknesses· 1

CWE-77

References

  1. https://gist.github.com/Spendroslav/1c0c6a6556992291b19c3178e3cb5885
  2. https://github.com/ajaypp123/FTP-Flask-python/blob/5173b6828244ff9729fa29cc144d74ccbea30a73/ftp_app.py

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-59818
CVE
CVE-2025-41736
CVE
CVE-2026-27641
CVE
CVE-2025-3115
CVE
CVE-2025-41735
CVE
CVE-2025-54769
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.