CVE-2025-1497 CRITICAL

CVE-2025-1497: Remote Code Execution in PlotAI

Vendor Mljar
Product PlotAI
Weakness CWE-94 · Code injection
Published March 10, 2025
Last update October 3, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.

Key dates

02Disclosure timeline

March 10, 2025 CVE published
October 3, 2025 Record updated

Related vulnerabilities

04Related CVE