Billz Raspap-Webgui vulnerabilities
10 known vulnerabilities affecting billz/raspap-webgui.
Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH7MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2022-39986P1CRITICALExploitedPoC≥ 2.8.0, < 2.8.82023-08-01
CVE-2022-39986 [CRITICAL] CWE-77 RaspAP Command Injection vulnerability
RaspAP Command Injection vulnerability
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the `cfg_id` parameter in `/ajax/openvpn/activate_ovpncfg.php` and `/ajax/openvpn/del_ovpncfg.php`.
ghsaosv
CVE-2022-39987P2HIGH≥ 2.8.0, < 2.9.52023-08-01
CVE-2022-39987 [HIGH] CWE-77 RaspAP Command Injection vulnerability
RaspAP Command Injection vulnerability
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the `entity` POST parameters in `/ajax/networking/get_wgkey.php`.
ghsaosv
CVE-2026-24788P2HIGH≥ 0, < 3.3.62026-02-02
CVE-2026-24788 [HIGH] CWE-78 RaspAP raspap-webgui contains an OS Command Injection vulnerability
RaspAP raspap-webgui contains an OS Command Injection vulnerability
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS Command Injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
ghsaosv
CVE-2021-38556P2HIGH≥ 0, ≤ 2.6.62021-09-02
CVE-2021-38556 [HIGH] CWE-77 Command Injection in RaspAP 2.6.6
Command Injection in RaspAP 2.6.6
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
ghsaosv
CVE-2023-30260P2HIGH≥ 0, < 2.8.92023-06-23
CVE-2023-30260 [HIGH] CWE-77 RaspAP raspap-webgui Command Injection vulnerability
RaspAP raspap-webgui Command Injection vulnerability
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
ghsaosv
CVE-2021-38557P3HIGH≥ 0, ≤ 2.6.62021-09-02
CVE-2021-38557 [HIGH] CWE-276 raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-
ghsaosv
CVE-2024-41637P3CRITICAL≥ 0, ≤ 3.1.42024-07-29
CVE-2024-41637 [CRITICAL] CWE-269 RaspAP allows an attacker to escalate privileges
RaspAP allows an attacker to escalate privileges
RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.
ghsaosv
CVE-2024-2497P3MEDIUM≥ 0, ≤ 3.0.92024-03-15
CVE-2024-2497 [MEDIUM] CWE-94 RaspAP Vulnerable to Code Injection via an Unknown Process in File `includes/provider.php`
RaspAP Vulnerable to Code Injection via an Unknown Process in File `includes/provider.php`
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may b
ghsaosv
CVE-2025-44163P3HIGH≥ 0, < 3.3.62025-06-27
CVE-2025-44163 [HIGH] CWE-22 raspap-webgui has a Directory Traversal vulnerability
raspap-webgui has a Directory Traversal vulnerability
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.
ghsaosv
CVE-2024-28754P3HIGH≥ 0, < 3.1.02024-03-09
CVE-2024-28754 [HIGH] raspap-webgui vulnerable to denial of service
raspap-webgui vulnerable to denial of service
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
ghsaosv