CVE-2025-63334
Published: 05 November 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-63334, published on 2025-11-05, is an unauthenticated remote code execution vulnerability in PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1. The flaw exists in the submit_opacity.php component, where the application fails to sanitize the opacityValue POST parameter before passing it to a shell command, enabling OS command injection as described by CWE-78.
The vulnerability can be exploited by remote attackers with no privileges or user interaction required, accessible over the network with low attack complexity. Exploitation grants attackers the ability to execute arbitrary commands with root privileges on the underlying system, resulting in high confidentiality, integrity, and availability impacts, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Advisories reference a GitHub Gist at https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880f and the PocketVJ-CP-v3 release page at https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release for additional details, which security practitioners should review for mitigation guidance or patched versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated RCE via command injection in public-facing PHP web app (T1190) enables arbitrary shell command execution on Unix-like system as root (T1059.004).