CVE-2025-64756

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Glob versions 10.3.7 through 11.0.3

Description The glob command-line interface contains a command injection issue in its -c/--cmd option. This allows arbitrary command execution when processing files with maliciously crafted names. When using glob -c <command> <patterns>, matched filenames are passed to a shell, and shell metacharacters within filenames can trigger command injection, leading to arbitrary code execution with the privileges of the user or CI account. The cmd option is vulnerable.

Recommendations Update to version 11.1.0 or later.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2026-01716

CLEANSTART-2026-CE10526

CLEANSTART-2026-DV49099

CLEANSTART-2026-NB51079

CLEANSTART-2026-OW14933

CLEANSTART-2026-SW34937

CVE-2025-64756

ECHO-840F-D5CE-2603

GHSA-5J98-MCP5-4VW2

OPENSUSE-SU-2025:15775-1

Affected Products

Confluence

Glob

CVE-2025-64756

Weakness Enumeration

Related Identifiers

Affected Products

References · 155