OS Command Injection in TkEasyGUI by kujirahand
CVE-2025-55037

9.3CRITICAL

Key Information:

Vendor: Kujirahand
Status: Tkeasygui
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-55037?

A vulnerability exists in TkEasyGUI prior to version 1.0.22 that allows an unauthenticated remote attacker to execute arbitrary OS commands. This is due to improper neutralization of special elements used in an OS command. If the software settings allow for messages to be constructed from external sources, an exploit could lead to unauthorized command execution, potentially compromising system integrity. It is crucial for users of affected versions to upgrade to the latest release to mitigate this risk.

Affected Version(s)

TkEasyGUI versions prior to v1.0.22

References

https://github.com/kujirahand/tkeasygui-python/releases/t...

https://jvn.jp/en/jp/JVN48739895/

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Sep 3, 2025

Kujirahand

What is CVE-2025-55037?

Affected Version(s)

References

CVSS V4

CVSS V3.0

Timeline