CVE-2025-67738 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-67738

CVE-2025-67738

December 11, 2025

squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option).

Affected Packages

https://github.com/webmin/webmin.git (GITHUB):

Affected version(s) =2.300 <2.600

Fix Suggestion:

Update to version 2.600

Related Resources (3)

https://webmin.com/security/#privilige-escalation-using-squid-module-cve-2025-67738

https://github.com/webmin/webmin/compare/2.520...2.600

https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee

Do you need more information?

CVSS v4

Base Score:

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

8.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

EPSS

Base Score:

0.05

Products

Solutions

Resources

Company

Compare

Developer Tools