CVE-2025-63414CRITICAL 10.0EPSS p73.0%

CVE-2025-63414CVE-2025-63414

Description

A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS1.62% probability of exploitation · percentile 73.0% · 2026-06-18T12:00:27Z
Published2025-12-16
Last modified2025-12-31

Underlying weaknesses· 2

CWE-22CWE-78

References

  1. https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/
  2. https://github.com/AllskyTeam/allsky
  3. https://github.com/AllskyTeam/allsky/blob/master/html/execute.php

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65573
CVE
CVE-2025-41734
CVE
CVE-2025-6541
CVE
CVE-2025-6542
CVE
CVE-2025-61492
CVE
CVE-2025-37162
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.