CVE-2025-34095

Name of the Vulnerable Software and Affected Versions: Mako Server versions 2.5 and 2.6

Description: An OS command injection vulnerability exists within the tutorial interface. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code to the /examples/save.lsp endpoint. This code is then persisted on disk and triggered via a subsequent GET request to /examples/manage.lsp, allowing remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

Recommendations: Mako Server version 2.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mako Server version 2.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.