CVE-2025-63261
Publication date 20 March 2026
Last updated 2 April 2026
Ubuntu priority
Description
AWStats 8.0 is vulnerable to Command Injection via the open function
Read the notes from the security team
Why is this CVE low priority?
This requires access to modify awstats.conf
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| awstats | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
mdeslaur
This vulnerability requires a user to be able to modify the awstats.conf configuration file. Only the root user is able to modify the file in Ubuntu, so this is an unlikely attack scenario. Setting this issue to low priority.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |