VYPR

raspap-webgui

by RaspAP

Source repositories

CVEs (9)

  • CVE-2024-41637HigJul 29, 2024
    risk 0.47cvss 8.3epss 0.01

    RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.

  • CVE-2021-33356Jun 9, 2021
    risk 0.01cvss epss 0.05

    Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.

  • CVE-2020-24572Aug 24, 2020
    risk 0.01cvss epss 0.07

    An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system…

  • CVE-2025-50428Aug 27, 2025
    risk 0.00cvss epss 0.02

    In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input passed via the interface parameter.

  • CVE-2025-44163Jun 27, 2025
    risk 0.00cvss epss 0.01

    RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse…

  • CVE-2024-36622Nov 29, 2024
    risk 0.00cvss epss 0.03

    In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter.

  • CVE-2024-2497Mar 15, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The…

  • CVE-2024-28754Mar 8, 2024
    risk 0.00cvss epss 0.01

    RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.

  • CVE-2024-28753Mar 8, 2024
    risk 0.00cvss epss 0.01

    RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.