CVE-2025-63334 — CRITICAL (9.8)

Vulnerability Description

PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Magdesign	Pocketvj Control Panel Firmware	3.9.1
Magdesign	Pocketvj Control Panel	-

Related Weaknesses (CWE)

CWE-78

References

https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880fExploitThird Party Advisory
https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/releaseRelease Notes

FAQ

What is CVE-2025-63334?

CVE-2025-63334 is a vulnerability with a CVSS score of 9.8 (CRITICAL). PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the op...

How severe is CVE-2025-63334?

CVE-2025-63334 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-63334?

Check the references section above for vendor advisories and patch information. Affected products include: Magdesign Pocketvj Control Panel Firmware, Magdesign Pocketvj Control Panel.