CVE-2024-53615

Medium

Published: 30 January 2025

Published

30 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.2094 95.7th percentile

Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Description

A command injection vulnerability in the video thumbnail rendering component of Karl Ward's files.gallery v0.3.0 through 0.11.0 allows remote attackers to execute arbitrary code via a crafted video file.

Security Summary

CVE-2024-53615 is a command injection vulnerability (CWE-77) in the video thumbnail rendering component of Karl Ward's files.gallery, affecting versions 0.3.0 through 0.11.0. It enables remote attackers to execute arbitrary code by uploading a specially crafted video file, which triggers malicious command execution during thumbnail generation.

The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating it is exploitable over the network with low complexity, no authentication or user interaction required. Unauthenticated remote attackers can target files.gallery instances that process uploaded videos, achieving limited impacts on confidentiality and integrity through arbitrary code execution, such as reading sensitive data or modifying files, without affecting availability.

Mitigation details are available in the advisory at https://github.com/beune/CVE-2024-53615.

Details

CWE(s): CWE-77

References

https://github.com/beune/CVE-2024-53615
cve@mitre.org