CVE-2025-63334

Published: Nov 5, 2025Modified: Jan 9, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.

Affected (1)

Products: Magdesign: Pocketvj Control Panel Firmware

1 product

Pocketvj Control Panel Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Magdesign Pocketvj Control Panel Firmware	Version 3.9.1

Running on/with	Platform Versions
Magdesign Pocketvj Control Panel	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880f

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release

Source: cve@mitre.org

Release Notes

Timeline

No history available yet.