Primary

Context

PhotoShow Remote Code Execution Vulnerability via Exiftran Path Injection

Vulnerability

A remote code execution vulnerability exists in PhotoShow version 3.0, allowing authenticated administrators to inject malicious commands through the Exiftran path configuration. This vulnerability can be exploited by base64 encoding a reverse shell command and executing it via a crafted video upload process, taking advantage of the application's FFmpeg configuration settings.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where PhotoShow is hosted.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the admin settings page. Inject a base64-encoded reverse shell command into the 'FFmpeg path' field, then upload a short video. The injected command will be executed, providing a shell on the attacker's machine.

Added: Dec 22, 2025, 10:38 PM

Updated: Dec 22, 2025, 10:38 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.1

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.1

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PhotoShow Remote Code Execution Vulnerability via Exiftran Path Injection

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating