{"id":"CVE-2025-60938","details":"Emoncms 11.7.3 has a remote code execution vulnerability in the firmware upload feature that allows authenticated users to execute arbitrary commands on the target system. The vulnerability stems from insufficient input validation of user-controlled parameters including filename, port, baud_rate, core, and autoreset within the /admin/upload-custom-firmware endpoint.","modified":"2026-04-10T05:32:28.895088Z","published":"2025-10-24T15:15:40.577Z","references":[{"type":"REPORT","url":"https://github.com/emoncms/emoncms/issues/1941"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/emoncms/emoncms","events":[{"introduced":"0"},{"last_affected":"efcf93c346ca68d2959657dbda1efc55e7a07a49"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"11.7.3"}]}}],"versions":["10.1.10","10.1.11","10.1.4","10.1.7","10.1.8","10.1.9","10.2.0","10.2.1","10.2.2","10.2.3","10.2.4","10.2.5","10.2.7","10.5.5","10.5.6","10.6.5","10.6.6","10.6.7","10.6.8","10.6.9","10.7.0","10.7.1","10.7.2","10.7.3","10.7.4","10.7.7","10.8.1","10.8.5","11.2.10","11.2.3","11.2.7","11.2.8","11.3.20","11.3.22","11.5.2","11.5.3","11.5.5","11.5.6","11.6.1","11.6.10","11.6.11","11.6.12","11.6.2","11.6.4","11.6.5","11.6.6","11.6.7","11.6.8","11.6.9","11.7.3","8.0","8.0.1","8.0.2","8.0.3","8.0.4","8.0.5","8.0.6","8.0.7","8.0.8","8.0.9","8.1.0","8.1.1","8.1.2","8.2","8.2.1","8.2.3","8.2.5","8.2.6","8.2.7","8.3.0","8.3.1","8.5.2","9.8.15","9.8.15.stable","9.8.16","9.8.18","9.8.24","debian/8.0-1","v5.0","v6.0","v6.9","v7.0","v8.3.2","v8.3.3","v8.3.4","v8.3.6","v8.4.0","v9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60938.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}