CVE-2025-34030

UNKNOWN 0.0

sar2html OS Command Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

CWE	CWE-78
Vendor	sar2html
Product	sar2html
Published	Jun 20, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for sar2html sar2html

Be the first to know when new unknown vulnerabilities affecting sar2html sar2html are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

sar2html / sar2html

0 ≤ 3.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cemtan/sar2html exploit-db.com: https://www.exploit-db.com/exploits/47204 fortiguard.com: https://www.fortiguard.com/encyclopedia/ips/48624 vulncheck.com: https://vulncheck.com/advisories/sar2html-command-injection

Credits

Furkan Kayapinar