CVE-2025-63690

Critical CVSS: 9.1

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.

Vendor

Pig4cloud

Product

Pig

CWE

CWE-470

Yayın Tarihi

2025-11-07 16:15:42

Güncelleme

2025-12-08 16:10:04

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-470 Pig CRITICAL Pig4cloud 2025

Referanslar

https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md https://github.com/pig-mesh/pig/issues/1199