CVE-2025-55037

CRITICAL

TkEasyGUI <1.0.22 - Command Injection

Title source: llm

Description

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

References (2)

Core 2

Core References

Third Party Advisory

https://jvn.jp/en/jp/JVN48739895/

Release Notes

https://github.com/kujirahand/tkeasygui-python/releases/tag/v1.0.22

Scores

CVSS v3 9.8

EPSS 0.0038

EPSS Percentile 59.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

kujirahand/TkEasyGUI versions prior to v1.0.22

pypi/TkEasyGUI 0 - 1.0.22PyPI

Published Sep 05, 2025

Tracked Since Feb 18, 2026