Critical severityNVD Advisory· Published Jun 20, 2025· Updated Apr 15, 2026

CVE-2025-34030

Description

An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

vulncheck.com/advisories/sar2html-command-injectionnvd
www.exploit-db.com/exploits/47204nvd
www.fortiguard.com/encyclopedia/ips/48624nvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.007
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000