Packagist (Composer) package
billz/raspap-webgui
pkg:composer/billz/raspap-webgui
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24788 | Hig | 8.8 | < 3.3.6 | 3.3.6 | Feb 2, 2026 | RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product. | |
| CVE-2025-44163 | — | < 3.3.6 | 3.3.6 | Jun 27, 2025 | RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of | ||
| CVE-2024-41637 | Hig | 8.3 | <= 3.1.4 | — | Jul 29, 2024 | RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password. | |
| CVE-2024-2497 | — | <= 3.0.9 | — | Mar 15, 2024 | A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attac | ||
| CVE-2024-28754 | — | < 3.1.0 | 3.1.0 | Mar 8, 2024 | RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request. | ||
| CVE-2022-39987 | — | >= 2.8.0, < 2.9.5 | 2.9.5 | Aug 1, 2023 | A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. | ||
| CVE-2022-39986 | — | >= 2.8.0, < 2.8.8 | 2.8.8 | Aug 1, 2023 | A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. | ||
| CVE-2023-30260 | — | < 2.8.9 | 2.8.9 | Jun 23, 2023 | Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. | ||
| CVE-2021-38556 | — | <= 2.6.6 | — | Aug 24, 2021 | includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. | ||
| CVE-2021-38557 | — | <= 2.6.6 | — | Aug 24, 2021 | raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd |
- affected < 3.3.6fixed 3.3.6
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
- CVE-2025-44163Jun 27, 2025affected < 3.3.6fixed 3.3.6
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of
- affected <= 3.1.4
RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.
- CVE-2024-2497Mar 15, 2024affected <= 3.0.9
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attac
- CVE-2024-28754Mar 8, 2024affected < 3.1.0fixed 3.1.0
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
- CVE-2022-39987Aug 1, 2023affected >= 2.8.0, < 2.9.5fixed 2.9.5
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
- CVE-2022-39986Aug 1, 2023affected >= 2.8.0, < 2.8.8fixed 2.8.8
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
- CVE-2023-30260Jun 23, 2023affected < 2.8.9fixed 2.8.9
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
- CVE-2021-38556Aug 24, 2021affected <= 2.6.6
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
- CVE-2021-38557Aug 24, 2021affected <= 2.6.6
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd