CVE-2025-56814
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2025-56814
EUVD
EUVD-2025-210154
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opencpn opencpn 5.12.0
opencpn launcher_plugin 1.3.5
opencpn opencn 5.12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a code injection issue in the wxExecute() function of OpenCPN version 5.12.0. It occurs because user-defined commands are executed directly through the system shell without proper input sanitization.

Attackers can exploit this by embedding shell metacharacters (such as & or |) into the command string, which allows them to execute arbitrary commands on the system.

The vulnerable code is located in launcher_pi.cpp, specifically in the wxExecute(cmd, wxEXEC_ASYNC) call, which passes the command to the shell in the Windows environment.

Impact Analysis

This vulnerability allows attackers to execute arbitrary code with the same privileges as the OpenCPN application.

As a result, an attacker could run unintended commands on your system, potentially leading to unauthorized access, data manipulation, or system compromise.

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious command execution patterns that include shell metacharacters such as & or | within the OpenCPN application context.

Since the vulnerability arises from the wxExecute() function executing user-defined commands without sanitization, you can check running processes or logs for commands containing unusual shell metacharacters.

  • On Windows, use Process Monitor (Procmon) to filter for OpenCPN processes executing commands with shell metacharacters.
  • Use PowerShell to search for suspicious command lines in process lists, for example: Get-WmiObject Win32_Process | Where-Object { $_.CommandLine -match '[&|]' }
  • Review OpenCPN plugin configuration files or user-defined command inputs for presence of shell metacharacters.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of user-defined commands that contain shell metacharacters in OpenCPN version 5.12.0 and its Launcher Plugin.

Restrict or disable the Launcher Plugin if possible until a patch or update is available.

Limit the privileges of the OpenCPN application to reduce the impact of potential arbitrary code execution.

Monitor and audit command inputs and execution related to OpenCPN to detect and prevent exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56814. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart