CVE-2025-1497

CRITICAL

Mljar Plotai < 0.0.7 - Command Injection

Title source: rule

Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.

References (4)

Core 4

Core References

Product product

https://github.com/mljar/plotai

View Writeup ZIP pw:eip

Third Party Advisory third-party-advisory

https://cert.pl/posts/2025/03/CVE-2025-1497

Third Party Advisory third-party-advisory

https://cert.pl/en/posts/2025/03/CVE-2025-1497

Patch patch

https://github.com/mljar/plotai/commit/bdcfb13484f0b85703a4c1ddfd71cb21840e7fde

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0557

EPSS Percentile 90.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-94 CWE-77

Status published

Products (2)

mljar/plotai < 0.0.7

pypi/plotai 0 - 0.0.7PyPI

Published Mar 10, 2025

Tracked Since Feb 18, 2026