High severity8.8NVD Advisory· Published Feb 2, 2026· Updated Apr 15, 2026
CVE-2026-24788
CVE-2026-24788
Description
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | < 3.3.6 | 3.3.6 |
Patches
1f514f5a12ef0Sanitize user input w/ $validLocales, add detectBrowserLocale()
1 file changed · +57 −89
includes/locale.php+57 −89 modified@@ -1,107 +1,43 @@ <?php /** - * Sets locale information for i18n support - */ - -/** - * Rudimentary language detection via the browser. + * Sets locale information for i18n support, with secure input validation. + * + * Rudimentary language detection is performed via the browser. * Accept-Language returns a list of weighted values with a quality (or 'q') parameter. * A better method would parse the list of preferred languages and match this with * the languages supported by our platform. + * @see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4 * - * Refer to: https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4 + * Uses $validLocales to mitigate OS Command Injection (CWE-78) + * @see Vulnerability Report for JVN #27202136 */ -if (empty($_SESSION['locale']) && !empty($_SERVER['HTTP_ACCEPT_LANGUAGE']) && strlen($_SERVER['HTTP_ACCEPT_LANGUAGE']) >= 2) { - $lang = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2); - switch ($lang) { - case "de": - $locale = "de_DE.UTF-8"; - break; - case "fr": - $locale = "fr_FR.UTF-8"; - break; - case "it": - $locale = "it_IT.UTF-8"; - break; - case "pt": - $locale = "pt_BR.UTF-8"; - break; - case "sv": - $locale = "sv_SE.UTF-8"; - break; - case "nl": - $locale = "nl_NL.UTF-8"; - break; - case "zh": - if ($_SERVER['HTTP_ACCEPT_LANGUAGE'] == 'zh_TW') { - $locale = "zh_TW.UTF-8"; - } else { - $locale = "zh_CN.UTF-8"; - } - break; - case "cs": - $locale = "cs_CZ.UTF-8"; - break; - case "ru": - $locale = "ru_RU.UTF-8"; - break; - case "es": - $locale = "es_MX.UTF-8"; - break; - case "fi": - $locale = "fi_FI.UTF-8"; - break; - case "da": - $locale = "da_DK.UTF-8"; - break; - case "tr": - $locale = "tr_TR.UTF-8"; - break; - case "id": - $locale = "id_ID.UTF-8"; - break; - case "ko": - $locale = "ko_KR.UTF-8"; - break; - case "ja": - $locale = "ja_JP.UTF-8"; - break; - case "vi": - $locale = "vi_VN.UTF-8"; - break; - case "el": - $locale = "el_GR.UTF-8"; - break; - case "pl": - $locale = "pl_PL.UTF-8"; - break; - case "sk": - $locale = "sk_SK.UTF-8"; - break; - default: - $locale = "en_GB.UTF-8"; - break; - } - $_SESSION['locale'] = $locale; +// Set locale from POST, if provided and valid +$validLocales = array_keys(getLocales()); +if (!empty($_POST['locale']) && in_array($_POST['locale'], $validLocales, true)) { + $_SESSION['locale'] = $_POST['locale']; } -// Note: the associated locale must be installed on the RPi -// Use: 'sudo raspi-configure' and select 'Localisation Options' +// Set locale from browser detection, if not already set +if (empty($_SESSION['locale'])) { + $_SESSION['locale'] = detectBrowserLocale(); +} -// activate the locale setting -if (!empty($_SESSION['locale'])) { - putenv("LANG=" . $_SESSION['locale']); - setlocale(LC_ALL, $_SESSION['locale']); +// Enforce only valid locale values in session +if (!in_array($_SESSION['locale'], $validLocales, true)) { + $_SESSION['locale'] = 'en_GB.UTF-8'; } + +// Apply locale settings +putenv("LANG=" . escapeshellarg($_SESSION['locale'])); +setlocale(LC_ALL, $_SESSION['locale']); bindtextdomain(LOCALE_DOMAIN, LOCALE_ROOT); bind_textdomain_codeset(LOCALE_DOMAIN, 'UTF-8'); - textdomain(LOCALE_DOMAIN); -function getLocales() +function getLocales(): array { - $arrLocales = array( + return [ 'en_GB.UTF-8' => 'English', 'cs_CZ.UTF-8' => 'Čeština', 'zh_TW.UTF-8' => '正體中文 (Chinese traditional)', @@ -125,6 +61,38 @@ function getLocales() 'sv_SE.UTF-8' => 'Svenska', 'tr_TR.UTF-8' => 'Türkçe', 'vi_VN.UTF-8' => 'Tiếng Việt (Vietnamese)' - ); - return $arrLocales; + ]; +} + +function detectBrowserLocale(): string +{ + if (empty($_SERVER['HTTP_ACCEPT_LANGUAGE']) || strlen($_SERVER['HTTP_ACCEPT_LANGUAGE']) < 2) { + return 'en_GB.UTF-8'; + } + + $lang = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2); + return match ($lang) { + 'de' => 'de_DE.UTF-8', + 'fr' => 'fr_FR.UTF-8', + 'it' => 'it_IT.UTF-8', + 'pt' => 'pt_BR.UTF-8', + 'sv' => 'sv_SE.UTF-8', + 'nl' => 'nl_NL.UTF-8', + 'zh' => ($_SERVER['HTTP_ACCEPT_LANGUAGE'] === 'zh_TW') ? 'zh_TW.UTF-8' : 'zh_CN.UTF-8', + 'cs' => 'cs_CZ.UTF-8', + 'ru' => 'ru_RU.UTF-8', + 'es' => 'es_MX.UTF-8', + 'fi' => 'fi_FI.UTF-8', + 'da' => 'da_DK.UTF-8', + 'tr' => 'tr_TR.UTF-8', + 'id' => 'id_ID.UTF-8', + 'ko' => 'ko_KR.UTF-8', + 'ja' => 'ja_JP.UTF-8', + 'vi' => 'vi_VN.UTF-8', + 'el' => 'el_GR.UTF-8', + 'pl' => 'pl_PL.UTF-8', + 'sk' => 'sk_SK.UTF-8', + default => 'en_GB.UTF-8', + }; } +
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4wwf-f7w3-94f5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24788ghsaADVISORY
- github.com/RaspAP/raspap-webgui/commit/f514f5a12ef0c34853b5370ef55d630b499f977dghsaWEB
- github.com/RaspAP/raspap-webgui/releases/tag/3.3.6ghsaWEB
- jvn.jp/en/jp/JVN27202136ghsaWEB
- jvn.jp/en/jp/JVN27202136/nvd
News mentions
0No linked articles in our index yet.