Medium severity6.5NVD Advisory· Published Apr 6, 2026· Updated Apr 20, 2026

CVE-2026-35175

Description

Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ajenti-panelPyPI	< 2.2.15	2.2.15

Affected products

Ajenti/Ajenti
cpe:2.3:a:ajenti:ajenti:*:*:*:*:*:*:*:*
Range: <2.2.15

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ajenti/ajenti/security/advisories/GHSA-73jv-44c3-j5p2nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-73jv-44c3-j5p2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35175ghsaADVISORY
github.com/ajenti/ajenti/releases/tag/v2.2.15nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000