CVE-2025-67728 CRITICAL

CVE-2025-67728: Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)

Vendor Shaneisrael
Product fireshare
Weakness CWE-77
Published December 12, 2025
Last update December 12, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.

Key dates

02Disclosure timeline

December 12, 2025 CVE published
December 12, 2025 Record updated