CVE-2025-1244OS Command Injection in Emacs

CWE-78OS Command InjectionCWE-1244Internal Asset Exposed to Unsafe Debug Access Level or StateCWE-146Improper Neutralization of Expression/Command DelimitersCWE-366Race Condition within a Thread11 documents9 sources
Severity
8.8HIGHNVD
EPSS
1.3%
top 20.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Emacs
Timeline
PublishedFeb 12
Latest updateFeb 4

Description

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

Debiangnu/emacs< 1:27.1+1-3.1+deb11u6+3

🔴Vulnerability Details

4
OSV
emacs vulnerabilities2026-02-04
GHSA
GHSA-gghq-qp34-gqg8: A flaw was found in the Emacs text editor2025-02-12
OSV
CVE-2025-1244: A command injection flaw was found in the text editor Emacs2025-02-12
CVEList
Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme2025-02-12

📋Vendor Advisories

5
Ubuntu
Emacs vulnerabilities2026-02-04
Cisco
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerabilities2025-08-14
Red Hat
emacs: Shell Injection Vulnerability in GNU Emacs via Custom "man" URI Scheme2025-02-12
Microsoft
Emacs: shell injection vulnerability in gnu emacs via custom "man" uri scheme2025-02-11
Debian
CVE-2025-1244: emacs - A command injection flaw was found in the text editor Emacs. It could allow a re...2025
CVE-2025-1244 — OS Command Injection in GNU Emacs | cvebase