PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.
References
| Link | Resource |
|---|---|
| https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880f | Exploit Third Party Advisory |
| https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release | Release Notes |
Configurations
Configuration 1 (hide)
| AND |
|
History
09 Jan 2026, 17:49
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880f - Exploit, Third Party Advisory | |
| References | () https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release - Release Notes | |
| First Time |
Magdesign pocketvj Control Panel
Magdesign pocketvj Control Panel Firmware Magdesign |
|
| CPE | cpe:2.3:h:magdesign:pocketvj_control_panel:-:*:*:*:*:*:*:* cpe:2.3:o:magdesign:pocketvj_control_panel_firmware:3.9.1:*:*:*:*:*:*:* |
05 Nov 2025, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-78 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
05 Nov 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-05 20:15
Updated : 2026-01-09 17:49
NVD link : CVE-2025-63334
Mitre link : CVE-2025-63334
CVE.ORG link : CVE-2025-63334
JSON object : View
Products Affected
magdesign
- pocketvj_control_panel
- pocketvj_control_panel_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')