CVE-2025-63261 — OS Command Injection in Awstats

CWE-78 — OS Command Injection9 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 79.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Awstats Debian Linux

Timeline

PublishedMar 20

Latest updateMar 23

Description

AWStats 8.0 is vulnerable to Command Injection via the open function

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Debianawstats/awstats< 7.8-2+deb11u2+1

▶NVDawstats/awstats7.9

Also affects: Debian Linux 11.0

🔴Vulnerability Details

CVEList

CVE-2025-63261: AWStats 8↗2026-03-20

▶

GHSA

GHSA-f93m-5ch9-5cqf: AWStats 8↗2026-03-20

▶

OSV

CVE-2025-63261: AWStats 8↗2026-03-20

▶

📋Vendor Advisories

Debian

CVE-2025-63261: awstats - AWStats 8.0 is vulnerable to Command Injection via the open function↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-63261 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-63261 awstats: AWStats: Arbitrary code execution via command injection vulnerability [fedora-42]↗2026-03-23

▶

Bugzilla

CVE-2025-63261 awstats: AWStats: Arbitrary code execution via command injection vulnerability [fedora-43]↗2026-03-23

▶

Bugzilla

CVE-2025-63261 awstats: AWStats: Arbitrary code execution via command injection vulnerability [epel-all]↗2026-03-23

▶