Description
OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user.
Published: 2026-06-08
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in OpenBullet2 allows an authenticated user to upload script files such as .bat, .ps1 or .sh through the FileProxySource proxy loading feature. When these files are uploaded, the server stores them and then executes them, returning the resulting output as proxy lines. This enables an attacker to run arbitrary commands on the host system under the privileges of the process user, leading to complete compromise of confidentiality, integrity, and availability of the affected machine.

Affected Systems

OpenBullet2, versions up to and including 0.3.2, is affected. The vulnerability exists in all releases prior to 0.3.3 and will be resolved in the next patch.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Although the EPSS score is not available, the vulnerability requires the attacker to be authenticated, which narrows the attacker pool but still poses significant risk in environments where credentials are compromised or weak. The attack is carried out by uploading a malicious script and then viewing the output; the servers privileges are leveraged, so an exploit would cause system-wide control. The vulnerability is not listed in the CISA KEV catalog, which suggests there are no known widespread exploit instances yet, but the high CVSS combined with authenticated access makes it a priority concern.

Generated by OpenCVE AI on June 8, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenBullet2 version 0.3.3 or later.
  • Disable the FileProxySource script upload feature or restrict uploads to non-executable file types.
  • Apply any vendor-supplied patch or update as soon as it becomes available.

Generated by OpenCVE AI on June 8, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user.
Title OpenBullet2 0.3.2 Authenticated RCE via FileProxySource Script Upload
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T18:12:03.694Z

Reserved: 2026-02-06T19:12:03.462Z

Link: CVE-2026-25855

cve-icon Vulnrichment

Updated: 2026-06-08T18:11:49.403Z

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:41.380

Modified: 2026-06-08T17:16:41.380

Link: CVE-2026-25855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T19:00:14Z

Weaknesses