Commvault
Monthly
The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. [CVSS 5.4 MEDIUM]
A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.3% and no vendor patch available.
A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 49.6% and no vendor patch available.
During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 83.1%.
Commvault Web Server allows authenticated remote attackers to create and execute webshells, exploited in the wild alongside CVE-2025-34028 for comprehensive backup infrastructure compromise.
Commvault Command Center Innovation Release allows unauthenticated remote code execution through path traversal in ZIP file upload handling, enabling malicious JSP deployment on the server.
The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. [CVSS 5.4 MEDIUM]
A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.3% and no vendor patch available.
A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 49.6% and no vendor patch available.
During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 83.1%.
Commvault Web Server allows authenticated remote attackers to create and execute webshells, exploited in the wild alongside CVE-2025-34028 for comprehensive backup infrastructure compromise.
Commvault Command Center Innovation Release allows unauthenticated remote code execution through path traversal in ZIP file upload handling, enabling malicious JSP deployment on the server.