CVE-2025-67738HIGH 8.5EPSS p22.0%

CVE-2025-67738CVE-2025-67738

Description

squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option).

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.0% · 2026-06-18T12:00:27Z
Published2025-12-11
Last modified2026-04-15

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee
  2. https://github.com/webmin/webmin/compare/2.520...2.600
  3. https://webmin.com/security/#privilige-escalation-using-squid-module-cve-2025-67738

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Webmin Command Injection Vulnerability
CVE
CVE-2025-58098
CVE
CVE-2025-54574
CVE
CVE-2025-39491
CVE
CWP Control Web Panel OS Command Injection Vulnerability
CVE
CVE-2026-34355
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.