Wiz
Vulnerability DatabaseCVE-2025-7404

CVE-2025-7404
Python vulnerability analysis and mitigation

Overview

CVE-2025-7404 is an OS Command Injection vulnerability discovered in Calibre Web version 0.6.24 (Nicolette) and Autocaliweb versions 0.7.0 before 0.7.1. The vulnerability was discovered by Johan Giraldo from Fluid Attacks' Offensive Team on July 7, 2025, and was publicly disclosed on July 24, 2025. The vulnerability allows authenticated administrators to perform blind OS command injection through improper neutralization of special elements (Fluid Attacks).

Technical details

The vulnerability exists in the /admin/ajaxconfig endpoint, which allows authenticated administrators to configure system settings via POST requests. The vulnerability specifically occurs in the 'config_rarfile_location' parameter, which is validated by the 'check_unrar()' helper function. While the function checks for path existence using os.path.exists(), it fails to properly validate the path contents before passing them to subprocess execution functions. This allows execution of arbitrary binaries through absolute paths, though without the ability to pass parameters. The vulnerability has been assigned a CVSS v4.0 base score of 5.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N (Fluid Attacks).

Impact

The vulnerability allows authenticated administrators to execute arbitrary binaries on the system using absolute paths. While parameter passing is not possible, the attacker can trigger default behaviors of system binaries, potentially affecting system integrity and availability. For example, an attacker could execute system commands like /sbin/reboot to force a system restart. Due to the blind nature of the injection, data exfiltration capabilities are limited (Fluid Attacks).

Mitigation and workarounds

For Autocaliweb users, the vulnerability has been patched in version 0.7.1, and users should upgrade to this version. However, there is currently no patch available for the Calibre Web project. Users of Calibre Web should consider implementing additional access controls and monitoring of administrator actions until a patch is released (Fluid Attacks).

Additional resources

SourceThis report was generated using AI

Related Python vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22033HIGH8.6
  • PythonPython
  • label-studio
NoNoJan 12, 2026
CVE-2025-68472HIGH8.1
  • PythonPython
  • mindsdb
NoYesJan 12, 2026
CVE-2026-22251MEDIUM5.3
  • PythonPython
  • wlc
NoYesJan 12, 2026
CVE-2026-22691LOW2.7
  • PythonPython
  • pypdf2
NoYesJan 10, 2026
CVE-2026-22250LOW2.5
  • PythonPython
  • wlc
NoYesJan 12, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo