dizqueTV 1.5.3 Remote Code Execution via FFMPEG Executable Path

Advisories

severity: critical
date: December 11, 2025
Affecting: dizqueTV 1.5.3
CVE: CVE-2024-58286
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-52079
DizqueTV GitHub Repository
Credit: Ahmed Said Saud Al-Busaidi
Description: dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. Attackers can modify the executable path with shell commands to read system files like /etc/passwd by exploiting improper input validation.