CVE-2025-51958

CRITICAL

Aelsantex Runcommand - OS Command Injection

Title source: rule

Description

aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.

References (3)

[Third Party Advisory] https://gist.github.com/NtustLin/f64528002e4f61874045799127dc49a4

[Product] https://github.com/aelsantex/runcommand

View Writeup ZIP pw:eip

[Product] https://www.dokuwiki.org/plugin:runcommand

Scores

CVSS v3 9.8

EPSS 0.0014

EPSS Percentile 33.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (1)

aelsantex/runcommand

Timeline

Published Jan 30, 2026

Tracked Since Feb 18, 2026