{"id":"CVE-2025-63414","details":"A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).","modified":"2026-04-10T05:33:29.775213Z","published":"2025-12-16T17:16:10.473Z","references":[{"type":"WEB","url":"https://github.com/AllskyTeam/allsky/blob/master/html/execute.php"},{"type":"PACKAGE","url":"https://github.com/AllskyTeam/allsky"},{"type":"EVIDENCE","url":"https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/AllskyTeam/allsky","events":[{"introduced":"0"},{"last_affected":"171b15cac1eb5ec972fea85e596ab8e2b74e2ba1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2024.12.06_06"}]}}],"versions":["V0.2","V0.4","v0.5","v0.6","v0.7","v2022.03.01","v2023.05.01","v2023.05.01_03","v2023.05.01_04","v2023.05.01_05","v2024.12.06","v2024.12.06_01","v2024.12.06_02","v2024.12.06_03","v2024.12.06_04","v2024.12.06_05","v2024.12.06_06"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63414.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}