Home

Description

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

PUBLISHED Reserved 2025-09-03 | Published 2025-09-05 | Updated 2025-09-05 | Assigner jpcert




CRITICAL: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

Improper neutralization of special elements used in an OS command ('OS Command Injection')

Product status

versions prior to v1.0.22
affected

References

github.com/kujirahand/tkeasygui-python/releases/tag/v1.0.22

jvn.jp/en/jp/JVN48739895/

cve.org (CVE-2025-55037)

nvd.nist.gov (CVE-2025-55037)

Download JSON