CVE-2025-36846

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://smartoffice.expert/en/", "name": "https://smartoffice.expert/en/", "tags": [], "refsource": ""}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-034.txt", "name": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-034.txt", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shell_exec() function of PHP. NOTE: this can be chained with CVE-2025-36845."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-36846", "ASSIGNER": "cve@mitre.org"}}, "impact": {}, "publishedDate": "2025-07-21T18:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-07-22T13:05Z"}