CVE-2025-24971
9.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, /upload/init endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the Apprise Notification enabled. This issue has been addressed in commit 4ff8469d and all users are advised to patch. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DumbWareio | DumbDrop | < 4ff8469d | affected |
Weaknesses
- CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp
- https://github.com/DumbWareio/DumbDrop/commit/4ff8469d69019d200046a67d326f51703bc4da63
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.