Vulnerabilites related to kujirahand - TkEasyGUI
CVE-2025-55671 (GCVE-0-2025-55671)
Vulnerability from cvelistv5
Published
2025-09-05 05:24
Modified
2025-09-05 13:45
Severity ?
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.5 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.5 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Summary
Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be executed with the privilege of running the program.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kujirahand | TkEasyGUI |
Version: versions prior to v1.0.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T13:45:43.259396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:45:51.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TkEasyGUI",
"vendor": "kujirahand",
"versions": [
{
"status": "affected",
"version": "versions prior to v1.0.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be executed with the privilege of running the program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path Element",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T05:24:45.422Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/kujirahand/tkeasygui-python/releases/tag/v1.0.22"
},
{
"url": "https://jvn.jp/en/jp/JVN48739895/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-55671",
"datePublished": "2025-09-05T05:24:45.422Z",
"dateReserved": "2025-09-03T01:18:11.774Z",
"dateUpdated": "2025-09-05T13:45:51.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55037 (GCVE-0-2025-55037)
Vulnerability from cvelistv5
Published
2025-09-05 05:24
Modified
2025-09-05 14:52
Severity ?
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kujirahand | TkEasyGUI |
Version: versions prior to v1.0.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T14:52:37.665161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T14:52:47.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TkEasyGUI",
"vendor": "kujirahand",
"versions": [
{
"status": "affected",
"version": "versions prior to v1.0.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T05:24:41.118Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/kujirahand/tkeasygui-python/releases/tag/v1.0.22"
},
{
"url": "https://jvn.jp/en/jp/JVN48739895/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-55037",
"datePublished": "2025-09-05T05:24:41.118Z",
"dateReserved": "2025-09-03T01:18:10.872Z",
"dateUpdated": "2025-09-05T14:52:47.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2025-000075
Vulnerability from jvndb
Published
2025-09-05 14:53
Modified
2025-09-05 14:53
Severity ?
Summary
Multiple vulnerabilities in TkEasyGUI
Details
TkEasyGUI provided by kujirahand contains multiple vulnerabilities listed below.<ul><li>OS command injection (CWE-78) - CVE-2025-55037</li><li>Uncontrolled search path element (CWE-427) - CVE-2025-55671</li></ul>
Satoki Tsuji of Ikotas Labs, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000075.html",
"dc:date": "2025-09-05T14:53+09:00",
"dcterms:issued": "2025-09-05T14:53+09:00",
"dcterms:modified": "2025-09-05T14:53+09:00",
"description": "TkEasyGUI provided by kujirahand contains multiple vulnerabilities listed below.\u003cul\u003e\u003cli\u003eOS command injection (CWE-78) - CVE-2025-55037\u003c/li\u003e\u003cli\u003eUncontrolled search path element (CWE-427) - CVE-2025-55671\u003c/li\u003e\u003c/ul\u003e\r\nSatoki Tsuji of Ikotas Labs, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000075.html",
"sec:cpe": {
"#text": "cpe:/a:kujirahand:tkeasygui",
"@product": "TkEasyGUI",
"@vendor": "kujirahand",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000075",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN48739895/index.html",
"@id": "JVN#48739895",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-55037",
"@id": "CVE-2025-55037",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-55671",
"@id": "CVE-2025-55671",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in TkEasyGUI"
}