CVE-2025-32778

Web-Check allows command Injection via Unvalidated URL in Screenshot API

CVSS 9.3 CRITICALEPSS 20.0%CWE-78

Vexday Risk Score

68High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 20.0%KEV nãoPoC públicaNuclei simMetasploit simPatch —

Lifecycle

12 Apr 2025Metasploit module available

15 Apr 2025Published on NVD

17 Aug 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Lissy93 · web-check

public PoCs found — 1

githubgithub.com/00xCanelo/CVE-2025-32778★ 3

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Lissy93/web-check/commit/0e4958aa10b2650d32439a799f6fc83a7cd46cef https://github.com/Lissy93/web-check/pull/243 https://github.com/Lissy93/web-check/security/advisories/GHSA-5qg5-g7c2-pfx8