Skip to main content

OpenBullet2 CVE-2026-25855

| EUVD-2026-35134 HIGH
OS Command Injection (CWE-78)
2026-06-08 VulnCheck GHSA-5jmp-7g8v-5p3h
RCE Command Injection Openbullet2
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Re-analysis Queued
Jun 08, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 17:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 08, 2026 - 17:21 vuln.today

DescriptionCVE.org

OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user.

AnalysisAI

Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain OpenBullet2 user credentials or bypass auth
Delivery
Authenticate to web UI over network
Exploit
Upload malicious .ps1/.sh/.bat script
Install
Register file as FileProxySource
C2
Trigger proxy load to execute script
Execute
Command execution as service user
Impact
Pivot or persist on host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must (1) have authenticated access to an OpenBullet2 instance at version 0.3.2 or earlier with network reachability to the web UI, and (2) be able to reach the FileProxySource proxy-loading feature to register a script file (.bat on Windows hosts, .ps1 for PowerShell, or .sh on Linux hosts) as a proxy source. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates a network-reachable, low-complexity, authenticated attack with full CIA impact and no user interaction - consistent with abusing an authenticated upload endpoint to achieve code execution as the OpenBullet2 process user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged OpenBullet2 account (or one obtained via the related empty-header auth bypass) authenticates to the web UI and adds a new FileProxySource pointing at an uploaded malicious .ps1 or .sh script containing arbitrary commands. When OpenBullet2 loads the proxy source, it executes the script and reads stdout as 'proxy lines,' which yields arbitrary command execution as the OpenBullet2 process user; publicly available exploit details from VulnCheck and HackerNoon make this trivial to reproduce.
Remediation No vendor-released patch identified at time of analysis based on the supplied references, so upgrade to a fixed version cannot be cited with a specific version number - monitor the OpenBullet2 GitHub project and the VulnCheck advisory (https://www.vulncheck.com/advisories/openbullet2-authenticated-rce-via-fileproxysource-script-upload) for a tagged release that addresses FileProxySource handling. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all OpenBullet2 instances and restrict network access to trusted networks/users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25855 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy