Security Updates

The following security bulletins address important issues in earlier versions of WebMO. To address these issues, upgrade to the noted WebMO version or apply the supplied patches.

Spring 2026

• CVE-2025-65603 - Weak Session Cryptography
• CVE-2025-65604 - Potential Code Injection
• CVE-2025-65605 - Directory Traversal

All of the above issues are addressed in WebMO 25.1.004 and higher. Existing WebMO users are stronger encouraged to upgrade to the most recent version.

WebMO Pro/Enterprise users who are unable to upgrade to WebMO 25 can also utilize the following versions, to which back-ported fixes have already been applied:

• WebMO 24.1.001
• WebMO 23.1.001

WebMO Pro/Enterprise users who are running WebMO 22 or earlier and who are unable to upgrade may manually apply an appropriate patch file, which is available via email request.

% cd <webmo-cgi>
% rm show_image.cgi
% patch -p0 < security2025.patch


WebMO thanks Maksim Chudakov of Accenture for identifying these issues.