Home

Description

A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

PUBLISHED Reserved 2025-04-15 | Published 2025-07-16 | Updated 2026-05-26 | Assigner VulnCheck




CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-20 Improper Input Validation

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

Product status

Default status
unaffected

Any version before 9.16.14
affected

Credits

Adam Kues - Assetnote finder

References

slcyber.io/...-popular-survey-software-youve-never-heard-of/ exploit

sawtoothsoftware.com/...ds/lighthouse-studio/version-history product patch

slcyber.io/...-popular-survey-software-youve-never-heard-of/ technical-description

www.vulncheck.com/...lighthouse-studio-preauthentication-rce third-party-advisory

cve.org (CVE-2025-34300)

nvd.nist.gov (CVE-2025-34300)

Download JSON