CVE-2025-15545

Name of the Vulnerable Software and Affected Versions versions prior to 2.3

Description The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows an attacker to gain root-level command execution, compromising confidentiality, integrity, and availability. The vulnerability allows for the execution of arbitrary commands via the /api/v1/restore endpoint using a crafted backup file containing malicious tags. The vulnerable parameter is the backup file.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.