CVE-2025-67738 | THREATINT

Description

squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option).

PUBLISHED Reserved 2025-12-11 | Published 2025-12-11 | Updated 2025-12-11 | Assigner mitre

HIGH: 8.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Any version before 2.600

affected

References

github.com/...ommit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee

github.com/webmin/webmin/compare/2.520...2.600

cve.org (CVE-2025-67738)

nvd.nist.gov (CVE-2025-67738)

Download JSON