AperiSolve: Unauthenticated RCE via JPSeek Analyzer Command Injection
CWE-78
OS Command Injection
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Per NVD: “Aperi’Solve is an open-source steganalysis web platform. Prior to 3.2.1, when uploading a JPEG, a user can specify an optional password to accompany the JPEG. This password is then directly passed into an expect command, which is then subsequently passed into a bash -c command, without any form of sanitization or validation. An unauthenticated attacker can achieve root-level RCE inside the worker container.”
Affected Packages / Versions
- Package:
aperisolve(—) - Latest published version at triage time:
Prior to 3.2.1 - Affected range:
AperiSolve < 3.2.1 (per NVD) - Patched version:
AperiSolve 3.2.1 (per release at github.com/Zeecka/AperiSolve/releases/tag/3.2.1)
Impact
Per NVD: root-level RCE inside the analysis worker container. The NVD record does not enumerate downstream effects (host pivot, tenant data exposure).
Severity Rationale
NVD CVSS 9.8 (Critical): network AV, low complexity, no privileges, no UI, full CIA.
Fix
Per NVD: upgrade to AperiSolve 3.2.1` (GitHub release 3.2.1, github.com/Zeecka/AperiSolve/releases/tag/3.2.1`). Patch was delivered via GHSA-8r22-62p7-9jrp; confirm the release date against the GitHub release page before publication.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released (AperiSolve 3.2.1)
- Mar 31, 2026Public disclosure (per Praetorian cve-research listing)
Fix Commit(s)
References
Discovered by Khael Kugler · Published April 29, 2026