Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local app processing attacker-supplied input under an existing low-privileged user (AV:L/PR:L/UI:N); shell injection yields full code execution, so C/I/A all High.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters.
AnalysisAI
Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.
Technical ContextAI
OpenCPN is an open-source chartplotter and marine navigation application widely used by recreational and commercial mariners. The flaw lies in the use of wxWidgets' wxExecute() function, a cross-platform process-launch API that, when called with a single command string, passes the string through a shell interpreter. The root cause maps to CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning user-controlled input is concatenated into a command line without sanitization or escaping, so shell metacharacters such as ;, &&, |, $(...) and backticks are interpreted by the shell rather than treated as literal data. Secure usage of wxExecute() requires passing arguments as a tokenized array (wxArrayString) and avoiding shell-mediated invocation, neither of which appears to have been done in the vulnerable code path.
RemediationAI
No vendor-released patch identified at time of analysis - the input data lists no fix version, vendor advisory, or commit. Users of OpenCPN 5.12.0 should monitor the OpenCPN GitHub repository and project releases page for an updated build that replaces vulnerable wxExecute() string invocations with the array/argv form, and apply that release as soon as it is published; the researcher write-up at https://jihoo-portfolio.vercel.app/posts/opencpn-rce-command-injection and the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2025-56814 should be tracked for fix references. As compensating controls until a patch is available, avoid loading untrusted chart files, plugins, route/waypoint files, or configuration imports from third parties (the most plausible input vectors for shell metacharacters), and run OpenCPN under a dedicated low-privileged OS account so that successful exploitation does not yield administrative access - note this does not prevent code execution in that account's context. On multi-user systems, restrict filesystem permissions on OpenCPN's configuration and plugin directories to the intended user only to prevent another local user from staging a malicious payload.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210154
GHSA-wvcq-xvv7-c8m8