CVE-2025-63414

Name of the Vulnerable Software and Affected Versions Allsky WebUI version v2024.12.06 06

Description A path traversal flaw exists in Allsky WebUI version v2024.12.06 06 that permits an unauthenticated remote attacker to execute commands on the system. This is achieved by submitting a specially crafted HTTP request to the /html/execute.php API endpoint, utilizing a malicious payload within the id parameter. Successful exploitation results in arbitrary command execution, potentially leading to full remote code execution (RCE).

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /html/execute.php endpoint. Avoid using the id parameter in the affected API endpoint until the issue is resolved.