CVE-2024-35164

MEDIUM 6.8

Apache Guacamole: Improper input validation of console codes

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue.

CWE	CWE-129
Vendor	apache software foundation
Product	apache guacamole
Published	Jul 2, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache guacamole

Be the first to know when new medium vulnerabilities affecting apache software foundation apache guacamole are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Apache Software Foundation / Apache Guacamole

0.8.0 ≤ 1.5.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70 openwall.com: http://www.openwall.com/lists/oss-security/2025/07/01/2

Credits

🔍 Tizian Seehaus (Tibotix)