CVE-2025-51958

CRITICAL

Aelsantex Runcommand - OS Command Injection

Title source: rule

Description

aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.

References (3)

Core 3

Core References

Third Party Advisory

https://gist.github.com/NtustLin/f64528002e4f61874045799127dc49a4

Product

https://github.com/aelsantex/runcommand

View Writeup ZIP pw:eip

Product

https://www.dokuwiki.org/plugin:runcommand

Scores

CVSS v3 9.8

EPSS 0.0014

EPSS Percentile 33.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

aelsantex/runcommand 2014-04-01

Published Jan 30, 2026

Tracked Since Feb 18, 2026