CVE-2025-34073 CRITICAL

CVE-2025-34073: stamparm/maltrail <=0.54 Remote Command Execution

Vendor Stamparm
Product Maltrail
Weakness CWE-78
Published July 2, 2025
Last update May 14, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

Key dates

02Disclosure timeline

July 2, 2025 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE