RaspAP
Products
2- 9 CVEs
- 2 CVEs
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-41637 | Hig | 0.47 | 8.3 | 0.01 | Jul 29, 2024 | RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password. | ||
| CVE-2021-33357 | 0.07 | — | 0.18 | Jun 9, 2021 | A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. | |||
| CVE-2021-33356 | 0.01 | — | 0.05 | Jun 9, 2021 | Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges. | |||
| CVE-2020-24572 | 0.01 | — | 0.07 | Aug 24, 2020 | An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system… | |||
| CVE-2025-50428 | 0.00 | — | 0.02 | Aug 27, 2025 | In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input passed via the interface parameter. | |||
| CVE-2025-44163 | 0.00 | — | 0.01 | Jun 27, 2025 | RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse… | |||
| CVE-2024-36622 | 0.00 | — | 0.03 | Nov 29, 2024 | In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter. | |||
| CVE-2024-2497 | 0.00 | — | 0.01 | Mar 15, 2024 | A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The… | |||
| CVE-2024-28754 | 0.00 | — | 0.01 | Mar 8, 2024 | RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request. | |||
| CVE-2024-28753 | 0.00 | — | 0.01 | Mar 8, 2024 | RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request. | |||
| CVE-2021-33358 | 0.00 | — | 0.03 | Jun 9, 2021 | Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands. |
- risk 0.47cvss 8.3epss 0.01
RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.
- CVE-2021-33357Jun 9, 2021risk 0.07cvss —epss 0.18
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
- CVE-2021-33356Jun 9, 2021risk 0.01cvss —epss 0.05
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
- CVE-2020-24572Aug 24, 2020risk 0.01cvss —epss 0.07
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system…
- CVE-2025-50428Aug 27, 2025risk 0.00cvss —epss 0.02
In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input passed via the interface parameter.
- CVE-2025-44163Jun 27, 2025risk 0.00cvss —epss 0.01
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse…
- CVE-2024-36622Nov 29, 2024risk 0.00cvss —epss 0.03
In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter.
- CVE-2024-2497Mar 15, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The…
- CVE-2024-28754Mar 8, 2024risk 0.00cvss —epss 0.01
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
- CVE-2024-28753Mar 8, 2024risk 0.00cvss —epss 0.01
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.
- CVE-2021-33358Jun 9, 2021risk 0.00cvss —epss 0.03
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.