High severity7.5GHSA Advisory· Published Oct 30, 2025· Updated Apr 15, 2026
CVE-2025-61141
CVE-2025-61141
Description
sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: = 0.2.28
- ghsa-coords2 versionspkg:golang/github.com/sqls-server/sqlspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 0.0.20251105T184115-1.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-f9f4-5859-29mfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61141ghsaADVISORY
- advisory.dw1.io/54ghsaWEB
- github.com/sqls-server/sqls/commit/468a23fc89af89f632cc023a10c031e4bc781797ghsaWEB
- lukmanern.github.io/CVE-2025-61141.htmlnvdWEB
- pkg.go.dev/vuln/GO-2025-4088ghsaWEB
- advisory.dw1.io/54/nvd
News mentions
0No linked articles in our index yet.