Unrated severityNVD Advisory· Published Dec 22, 2025· Updated Apr 7, 2026

PhotoShow 3.0 Remote Code Execution via Exiftran Path Injection

CVE-2023-53981

Description

PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process.

Affected products

PhotoShow/PhotoShowllm-create
Range: =3.0
thibaud-rohmer/PhotoShowv5
Range: 3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/51236mitreexploit
www.vulncheck.com/advisories/photoshow-remote-code-execution-via-exiftran-path-injectionmitrethird-party-advisory
lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/mitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000