CVE-2025-47782 – motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution

https://notcve.org/view.php?id=CVE-2025-47782

14 May 2025 — motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually. • https://github.com/motioneye-project/motioneye/issues/3142 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •