CVE-2025-6193

Published: Jun 20, 2025Modified: Mar 25, 2026

5.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Exploitability: 1.7 / Impact: 3.7

Source: secalert@redhat.com (Secondary)

Description

A command injection vulnerability was discovered in the TrustyAI Explainability toolkit. Arbitrary commands placed in certain fields of a LMEValJob custom resource (CR) may be executed in the LMEvalJob pod's terminal. This issue can be exploited via a maliciously crafted LMEvalJob by a user with permissions to deploy a CR.

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://access.redhat.com/errata/RHSA-2026:5807

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2025-6193

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2374032

Source: secalert@redhat.com

https://github.com/trustyai-explainability/trustyai-service-operator/pull/504

Source: secalert@redhat.com

Timeline

No history available yet.