CVE-2025-27106

Name of the Vulnerable Software and Affected Versions binance-trading-bot versions prior to 0.0.100

Description The binance-trading-bot is an automated Binance trading bot with a trailing buy/sell strategy. Authenticated users can achieve Remote Code Execution on the host system due to a command injection vulnerability in the "/restore" endpoint. The name of the uploaded file is passed to shell.exec without sanitization, resulting in Remote Code Execution. This may allow any authorized user to execute code in the context of the host machine.

Recommendations For versions prior to 0.0.100, upgrade to version 0.0.100 or later to address the issue. As a temporary workaround, consider restricting access to the "/restore" endpoint until the issue is resolved. Avoid using the shell.exec function with unsanitized input from uploaded files.