Description
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.
Published: 2025-07-10
Score: 9.3 Critical
EPSS: 66.6% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists on the tutorial interface of Mako Server versions 2.5 and 2.6. A crafted PUT request to the examples/save.lsp endpoint writes arbitrary Lua os.execute() code to disk, and a later GET request to examples/manage.lsp triggers execution of that code. The vulnerability allows an unauthenticated attacker to run arbitrary operating‑system commands, compromising the integrity and confidentiality of both Windows and Unix deployments.

Affected Systems

The affected product is Real Time Logic Mako Server, specifically versions 2.5 and 2.6. The flaw resides in the examples component, exposed at the examples/save.lsp and examples/manage.lsp endpoints.

Risk and Exploitability

The CVSS score of 9.3 classifies this issue as critical, and the EPSS score of 67% indicates a high probability of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, but the attack path is simple: an unauthenticated HTTP request to the examples interface can lead to remote command execution with no additional prerequisites.

Generated by OpenCVE AI on May 18, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version of Mako Server that fixes the examples interface vulnerability.
  • Restrict or disable access to the examples directory and the /examples/* endpoints until a patch is in place, using firewall or web‑application firewall controls.
  • Verify that incoming requests to examples/* are subject to strict input validation and that the os.execute() path is not reachable, and consider implementing runtime monitoring to detect unexpected command execution.

Generated by OpenCVE AI on May 18, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21031 An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00613}

 epss

{'score': 0.00863}

Fri, 11 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00613}

Fri, 11 Jul 2025 13:30:00 +0000

Type Values Removed Values Added
Metrics epss

{}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.
Title Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:07:36.308Z

Reserved: 2025-04-15T19:15:22.552Z

Link: CVE-2025-34095

cve-icon Vulnrichment

Updated: 2025-07-10T20:27:23.428Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:24.953

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T14:45:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')