GHSA-26f6-wm47-7h7j: Duplicate Advisory: motionEye vulnerable to RCE via unsanitized motion config parameter

October 3, 2025 (updated November 3, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-j945-qm58-4gjx. This link is maintained to preserve external references.

Original Description

MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.

References

github.com/advisories/GHSA-26f6-wm47-7h7j
github.com/prabhatverma47/motionEye-RCE-through-config-parameter
nvd.nist.gov/vuln/detail/CVE-2025-60787

Code Behaviors & Features

Detect and mitigate GHSA-26f6-wm47-7h7j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →