billz/raspap-webgui
Packagist10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting billz/raspap-webguipage 1 of 1
- CVE-2021-38556HIGHCVSS 8.8EG 8.82021-08-24
vulnerable: 2.4.1 ... 2.6.6 (12 versions)
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
- CVE-2021-38557HIGHCVSS 8.8EG 8.82021-08-24
vulnerable: 2.4.1 ... 2.6.6 (12 versions)
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data accou…
- CVE-2022-39986CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.8.82023-08-01
vulnerable: 2.8.0 ... 2.8.7 (8 versions)
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
- CVE-2022-39987HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.52023-08-01
vulnerable: 2.8.0 ... 2.9.4 (15 versions)
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
- CVE-2023-30260HIGHCVSS 8.8EG 8.8✓ Fixed in 2.8.92023-06-23
vulnerable: 1.0 ... 2.8.8 (27 versions)
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
- CVE-2024-2497MEDIUMCVSS 4.7EG 4.72024-03-15
vulnerable: 1.0 ... 3.0.9 (49 versions)
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument c…
- CVE-2024-28754HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.02024-03-09
vulnerable: 1.0 ... 3.0.9 (49 versions)
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
- CVE-2024-41637HIGHCVSS 8.3EG 9.92024-07-29
vulnerable: 1.0 ... 3.1.4 (54 versions)
RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.
- CVE-2025-44163MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.3.62025-06-27
vulnerable: 1.0 ... v3.3.5 (75 versions)
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary file…
- CVE-2026-24788HIGHCVSS 8.8EG 8.8✓ Fixed in 3.3.62026-02-02
vulnerable: 1.0 ... v3.3.5 (75 versions)
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
Check whether billz/raspap-webgui is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for billz/raspap-webgui CVEs against the assets you own.
Start Free Scan →