CVE-2024-1297 HIGH

CVE-2024-1297: Loomio 2.22.0 - Code injection

Vendor Loomio

Product Loomio

Weakness CWE-78

Published February 19, 2024

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection.

Key dates

02Disclosure timeline

February 19, 2024 CVE published

April 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1297 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

04Related CVE

CVE-2022-1813 OS Command Injection in yogeshojha/rengine CVE-2026-5994 Totolink A7100RU CGI cstecgi.cgi setTelnetCfg os command injection CVE-2026-49190 Missing Per-Instruction Authorization Checks CVE-2025-54133 Cursor's MCP Install Deeplink Does Not Show Arguments in its User-Dialog CVE-2021-3059 PAN-OS: OS Command Injection Vulnerability When Performing Dynamic Updates