CVE-2025-24971

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-24971

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24971.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-24971

Aliases

GHSA-rx8m-jqm7-vcgp

Published

2025-02-04T18:53:30.287Z

Modified

2026-04-02T12:45:34.006132Z

Severity

9.5 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

OS Command Injection endpoint '/upload/init' parameter 'filename' (RCE) in DumpDrop

Details

DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, /upload/init endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the Apprise Notification enabled. This issue has been addressed in commit 4ff8469d and all users are advised to patch. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24971.json"
}

References

Affected packages

Git / github.com/dumbwareio/dumbdrop

Affected ranges

Type: GIT
Repo: https://github.com/dumbwareio/dumbdrop
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4ff8469d69019d200046a67d326f51703bc4da63

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24971.json"