Unrated severityNVD Advisory· Published Aug 26, 2025· Updated Aug 27, 2025

CVE-2025-50974

Description

The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END.

Affected products

IPFire/IPFiredescription
Ipfire/Ipfirellm-fuzzy
Range: =2.29

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/4rdr/proofs/blob/main/info/IPFire-2.29-Command-Injection.mdmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000