CVE-2025-32778 Scanner

Web-Check is a tool used by developers and web administrators to perform automated checks on website functionality and performance. It is typically used in development environments and sometimes in production to ensure that web applications are running smoothly. The tool provides various APIs for users to interact with and obtain information about their web applications. It is created by Lissy93 to help streamline website maintenance and management tasks.

The OS Command Injection vulnerability found in Web-Check allows attackers to execute arbitrary system commands. This security flaw arises due to unsanitized user input in the screenshot API, making it possible for attackers to compromise the system by sending specially crafted URL parameters. This vulnerability is particularly critical as it could lead to a full compromise of the affected system.

Technical details reveal that the screenshot API in Web-Check fails to properly sanitize user input, allowing the execution of arbitrary commands on the hosting server. The vulnerable endpoint is the screenshot API, which accepts user input via URL parameters. Attackers can use these parameters to inject malicious commands, leading to unauthorized command execution and potential system control.

If exploited, the OS Command Injection vulnerability could enable attackers to execute commands with the same privileges as the vulnerable application. This can result in unauthorized access to sensitive data, further network penetration, and possibly leading to a complete system takeover. It significantly increases the risk of data theft, disruption of services, and damage to the hosting environment.

REFERENCES

• https://github.com/Lissy93/web-check/security/advisories/GHSA-jqhf-j4w8-4grr
• https://github.com/Lissy93/web-check/commit/0e4958aa10b2650d32439a799f6fc83a7cd46cef
• https://nvd.nist.gov/vuln/detail/CVE-2025-32778
• https://osv.dev/vulnerability/CVE-2025-32778