-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| files.photo.gallery | npm | >= 0.3.0, <= 0.11.0 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from improper neutralization of user-controlled input ($this->path) in a system command. The provided exploit code shows the filename is directly interpolated into an ffmpeg command string with only quote escaping (str_replace('"')), which fails to prevent command substitution via $(...) syntax. The PHP method responsible for video thumbnail generation would be the logical location for this command construction. Though exact class/method names aren't specified in available sources, the pattern matches common PHP media processing implementations and the exploit's technical details.
KEV Misses 88% of Exploited CVEs- Get the report