CVE-2025-34030

🗓️ 20 Jun 2025 18:40:04Reported by VulnCheckType

cve🔗 web.nvd.nist.gov👁 38 Views🌐 WEB

OS command injection in sar2html version 3.2.2 allows remote command execution via plot parameter.

Reporter	Title	Published	Views	Family All 13
BDU FSTEC	The vulnerability of the index.php script used by the sar2html system statistics visualization tool allows a perpetrator to execute arbitrary commands.	1 Jul 202500:00	–	bdu_fstec
GithubExploit	Exploit for CVE-2025-34030	26 Aug 202501:08	–	githubexploit
Circl	CVE-2025-34030	20 Jun 202522:37	–	circl
CNNVD	sar2html 安全漏洞	20 Jun 202500:00	–	cnnvd
Cvelist	CVE-2025-34030 sar2html OS Command Injection	20 Jun 202518:40	–	cvelist
EUVD	EUVD-2025-18774	3 Oct 202520:07	–	euvd
Nuclei	sar2html <=3.2.2 Plot Parameter - Remote Code Execution	26 Jun 202618:13	–	nuclei
NVD	CVE-2025-34030	20 Jun 202519:15	–	nvd
OSV	CVE-2025-34030	20 Jun 202519:15	–	osv
Positive Technologies	PT-2025-26462	1 Aug 201900:00	–	ptsecurity

Vulners

Node

sar2html sar2htmlRange0–3.2.2

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Web Management Interface (index.php handler for plot parameter)"
    ],
    "product": "sar2html",
    "vendor": "sar2html",
    "versions": [
      {
        "lessThanOrEqual": "3.2.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
vulncheck	www.vulncheck.com/advisories/sar2html-command-injection
exploit-db	www.exploit-db.com/exploits/47204
github	www.github.com/cemtan/sar2html
fortiguard	www.fortiguard.com/encyclopedia/ips/48624

Parameter	Position	Path	Description	CWE
plot	query param	index.php	OS command injection via the plot parameter in index.php (e.g., ?plot=;id) leading to remote command execution	CWE-78

17 Jun 2026 09:13Current

7.5High risk

Vulners AI Score7.5

CVSS 410

EPSS0.59067

SSVC

cve-2025-34030 os command injection sar2html vulnerability command execution user input sanitization