Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by wavestore
CVE-2025-65076 (GCVE-0-2025-65076)
Vulnerability from cvelistv5 – Published: 2025-12-16 12:25 – Updated: 2025-12-16 14:30
VLAI
Title
Arbitrary File Read and Delete via Path Traversal in WaveStore Server
Summary
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root privileges.
This issue was fixed in version 6.44.44
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/12/CVE-2025-65074 | third-party-advisory |
| https://www.wavestore.com/products/video-manageme… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WaveStore | WaveStore Server |
Affected:
0 , < 6.44.44
(semver)
|
Date Public
2025-12-16 10:55
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:28:04.301385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:30:08.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WaveStore Server",
"vendor": "WaveStore",
"versions": [
{
"lessThan": "6.44.44",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julia Zdu\u0144czyk"
}
],
"datePublic": "2025-12-16T10:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the\u0026nbsp;\u003ctt\u003ei\u003c/tt\u003e\u003ctt\u003elog\u003c/tt\u003e script. This script is being run with root privileges.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 6.44.44\u003cbr\u003e"
}
],
"value": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the\u00a0ilog script. This script is being run with root privileges.\n\nThis issue was fixed in version 6.44.44"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T12:25:24.801Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/12/CVE-2025-65074"
},
{
"tags": [
"product"
],
"url": "https://www.wavestore.com/products/video-management-software"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary File Read and Delete via Path Traversal in WaveStore Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-65076",
"datePublished": "2025-12-16T12:25:24.801Z",
"dateReserved": "2025-11-17T09:20:09.473Z",
"dateUpdated": "2025-12-16T14:30:08.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65075 (GCVE-0-2025-65075)
Vulnerability from cvelistv5 – Published: 2025-12-16 12:25 – Updated: 2025-12-16 14:37
VLAI
Title
Arbitrary File Read and Delete via Path Traversal in WaveStore Server
Summary
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script.
This issue was fixed in version 6.44.44
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/12/CVE-2025-65074 | third-party-advisory |
| https://www.wavestore.com/products/video-manageme… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WaveStore | WaveStore Server |
Affected:
0 , < 6.44.44
(semver)
|
Date Public
2025-12-16 10:55
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:37:16.542200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:37:30.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WaveStore Server",
"vendor": "WaveStore",
"versions": [
{
"lessThan": "6.44.44",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julia Zdu\u0144czyk"
}
],
"datePublic": "2025-12-16T10:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of\u0026nbsp;\u003ctt\u003edvr\u003c/tt\u003e user, on the server using path traversal in the\u0026nbsp;\u003ctt\u003ea\u003c/tt\u003e\u003ctt\u003elog\u003c/tt\u003e script.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 6.44.44\u003cbr\u003e"
}
],
"value": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of\u00a0dvr user, on the server using path traversal in the\u00a0alog script.\n\nThis issue was fixed in version 6.44.44"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T12:25:17.584Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/12/CVE-2025-65074"
},
{
"tags": [
"product"
],
"url": "https://www.wavestore.com/products/video-management-software"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary File Read and Delete via Path Traversal in WaveStore Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-65075",
"datePublished": "2025-12-16T12:25:17.584Z",
"dateReserved": "2025-11-17T09:20:09.473Z",
"dateUpdated": "2025-12-16T14:37:30.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65074 (GCVE-0-2025-65074)
Vulnerability from cvelistv5 – Published: 2025-12-16 12:25 – Updated: 2025-12-16 14:38
VLAI
Title
OS Command Injection via Path Traversal in WaveStore Server
Summary
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script.
This issue was fixed in version 6.44.44
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/12/CVE-2025-65074 | third-party-advisory |
| https://www.wavestore.com/products/video-manageme… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WaveStore | WaveStore Server |
Affected:
0 , < 6.44.44
(semver)
|
Date Public
2025-12-16 10:55
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:37:48.538168Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:38:42.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WaveStore Server",
"vendor": "WaveStore",
"versions": [
{
"lessThan": "6.44.44",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julia Zdu\u0144czyk"
}
],
"datePublic": "2025-12-16T10:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server.\u0026nbsp;A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the\u0026nbsp;\u003ctt\u003eshowerr\u003c/tt\u003e script.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 6.44.44\u003cbr\u003e"
}
],
"value": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server.\u00a0A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the\u00a0showerr script.\n\nThis issue was fixed in version 6.44.44"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T12:25:15.751Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/12/CVE-2025-65074"
},
{
"tags": [
"product"
],
"url": "https://www.wavestore.com/products/video-management-software"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection via Path Traversal in WaveStore Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-65074",
"datePublished": "2025-12-16T12:25:15.751Z",
"dateReserved": "2025-11-17T09:20:09.472Z",
"dateUpdated": "2025-12-16T14:38:42.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}