CVE-2025-56814
Description
Command injection in OpenCPN Launcher Plugin v1.3.5 allows arbitrary code execution via shell metacharacters in user-defined commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in OpenCPN Launcher Plugin v1.3.5 allows arbitrary code execution via shell metacharacters in user-defined commands.
Vulnerability
The Launcher Plugin for OpenCPN v5.12.0 (plugin version v1.3.5) contains a command injection vulnerability in the wxExecute() function. The LauncherUIDialog::OnBtnClick handler in launcher_pi.cpp directly passes a user-defined command string to wxExecute(cmd, wxEXEC_ASYNC) without any sanitization or escaping. This allows an attacker to embed shell metacharacters (e.g., ;, ` `, |`) in the command, which are interpreted by the underlying system shell.
Exploitation
An attacker must have the ability to configure or provide a malicious button definition to the Launcher Plugin. When a victim clicks the button, the plugin builds the command string (including any injected metacharacters) and feeds it to the shell. The proof-of-concept code from the reference demonstrates that no filtering occurs before the wxExecute() call. The attack requires user interaction (clicking the button), but no special privileges beyond those needed to load a chart or configuration that contains the malicious command.
Impact
Successful exploitation results in arbitrary code execution with the same privileges as the OpenCPN process. On Windows (the vulnerable environment described in the reference), this could lead to full system compromise, data exfiltration, or further lateral movement within the network, depending on the runtime context.
Mitigation
As of the publication date, no official patch has been released for CVE-2025-56814. The vendor recommends avoiding the use of user-defined commands from untrusted sources, or disabling the Launcher Plugin entirely until a fix is applied. Users should treat any third-party configuration files as potentially malicious and inspect them for unexpected shell metacharacters [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Launcher Plugin passes a user-defined command string directly to wxExecute() without sanitization, allowing shell metacharacter injection."
Attack vector
An attacker who can configure or influence the command string stored in a Launcher Plugin button can inject shell metacharacters such as `&` or `|` to chain arbitrary commands [ref_id=1]. Because the command is executed asynchronously via `wxExecute` with `wxEXEC_ASYNC`, the injected payload runs in the system shell without user interaction beyond the initial button click. This leads to arbitrary code execution on the victim's machine.
Affected code
The vulnerable function is `LauncherUIDialog::OnBtnClick` in `launcher_pi.cpp` (nohal/launcher_pi.cpp) of the Launcher Plugin v1.3.5. It passes the user-defined command string directly to `wxExecute(cmd, wxEXEC_ASYNC)` without any sanitization or filtering of shell metacharacters.
What the fix does
The advisory does not include a published patch. To remediate, the application should validate or sanitize the command string before passing it to `wxExecute`, for example by escaping shell metacharacters or using an API that does not invoke a shell. The researcher recommends proper filtering of user-defined commands to prevent injection of unintended shell operators [ref_id=1].
Preconditions
- configThe attacker must be able to set or modify the command string stored in a Launcher Plugin button (e.g., via a configuration file or plugin settings).
- inputThe victim must click the configured button in the OpenCPN Launcher Plugin to trigger the vulnerable code path.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.