Description
AWStats 8.0 is vulnerable to Command Injection via the open function
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A vulnerability in AWStats 8.0 allows an attacker to inject arbitrary operating‑system commands through the open function used by the CGI script. This command injection, identified as CWE‑78, can lead to remote code execution on the web server hosting AWStats, granting full control over that system if exploitation is successful.

Affected Systems

The flaw affects installations of AWStats version 8.0. Systems running this version on Debian 11.0 Linux, or any operating system where AWStats 8.0 is deployed, are at risk if the CGI interface is reachable from the network.

Risk and Exploitability

The CVSS score of 7.8 categorizes the issue as high severity, but the EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack path is through the publicly accessible AWStats CGI script; an attacker who can submit input that reaches the vulnerable open call can potentially execute arbitrary commands. No authentication requirement is stated in the description, so access controls around the CGI directory may influence the feasibility of exploitation.

Generated by OpenCVE AI on April 8, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest AWStats update, which removes the vulnerable open function.
  • If an immediate upgrade is not possible, limit access to the AWStats CGI directory using firewall rules or web‑server authentication mechanisms.
  • Maintain current system patches, particularly for the underlying Debian 11.0 distribution.
  • Monitor web server logs for anomalous command execution or unexpected traffic to the AWStats CGI endpoint.

Generated by OpenCVE AI on April 8, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4509-1 awstats security update
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Command Injection in AWStats via Open Function

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Awstats
Awstats awstats
Debian
Debian debian Linux
CPEs cpe:2.3:a:awstats:awstats:7.9:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Vendors & Products Awstats
Awstats awstats
Debian
Debian debian Linux

Wed, 25 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Command Injection in AWStats via Open Function

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Eldy
Eldy awstats
Vendors & Products Eldy
Eldy awstats

Fri, 20 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description AWStats 8.0 is vulnerable to Command Injection via the open function
References

Subscriptions

Awstats Awstats
Debian Debian Linux
Eldy Awstats
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-25T22:10:36.546Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63261

cve-icon Vulnrichment

Updated: 2026-03-25T22:10:36.546Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:12.800

Modified: 2026-04-07T16:08:00.883

Link: CVE-2025-63261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:27Z

Weaknesses