OS Command Injection via Path Traversal in WaveStore Server
CVE-2025-65074

8.6HIGH

Key Information:

Vendor: Wavestore
Status: Wavestore Server
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-65074?

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script.

This issue was fixed in version 6.44.44

Affected Version(s)

WaveStore Server 0 < 6.44.44

References

https://cert.pl/en/posts/2025/12/CVE-2025-65074

third-party-advisory

https://www.wavestore.com/products/video-management-software

product

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Nov 17, 2025

Credit

Julia Zduńczyk

JSON

Wavestore

What is CVE-2025-65074?

Affected Version(s)

References

CVSS V4

Timeline

Credit