CVE-2025-63414

moderate-risk

Published 2025-12-16

A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).

Do I need to act?

2.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Allsky

Affected Vendors

Allskyteam

References (3)

Exploit https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/

Product https://github.com/AllskyTeam/allsky

Product https://github.com/AllskyTeam/allsky/blob/master/html/execute.php

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 5/34 · Minimal

Exposure 5/34 · Minimal