{"url":"http://public2.vulnerablecode.io/api/packages/534022?format=json","purl":"pkg:composer/billz/raspap-webgui@2.6.3","type":"composer","namespace":"billz","name":"raspap-webgui","version":"2.6.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.3.6","latest_non_vulnerable_version":"3.3.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41416?format=json","vulnerability_id":"VCID-1n9n-27ht-wqf6","summary":"Improper Neutralization of Special Elements used in a Command ('Command Injection')\nincludes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-38556","reference_id":"","reference_type":"","scores":[{"value":"0.18635","scoring_system":"epss","scoring_elements":"0.95398","published_at":"2026-06-05T12:55:00Z"},{"value":"0.18635","scoring_system":"epss","scoring_elements":"0.95401","published_at":"2026-06-06T12:55:00Z"},{"value":"0.18635","scoring_system":"epss","scoring_elements":"0.9539","published_at":"2026-06-04T12:55:00Z"},{"value":"0.18635","scoring_system":"epss","scoring_elements":"0.95407","published_at":"2026-06-09T12:55:00Z"},{"value":"0.18635","scoring_system":"epss","scoring_elements":"0.95404","published_at":"2026-06-08T12:55:00Z"},{"value":"0.18635","scoring_system":"epss","scoring_elements":"0.95403","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-38556"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/blob/0e1d652c5e55f812aaf2a5908884e9db179416ee/includes/configure_client.php","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/blob/0e1d652c5e55f812aaf2a5908884e9db179416ee/includes/configure_client.php"},{"reference_url":"https://zerosecuritypenetrationtesting.com/?page_id=306","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://zerosecuritypenetrationtesting.com/?page_id=306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38556","reference_id":"CVE-2021-38556","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38556"},{"reference_url":"https://github.com/advisories/GHSA-7vph-p634-vrqf","reference_id":"GHSA-7vph-p634-vrqf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vph-p634-vrqf"}],"fixed_packages":[],"aliases":["CVE-2021-38556","GHSA-7vph-p634-vrqf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1n9n-27ht-wqf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49938?format=json","vulnerability_id":"VCID-34cm-gba5-nkau","summary":"RaspAP raspap-webgui contains an OS Command Injection vulnerability\nRaspAP raspap-webgui versions prior to 3.3.6 contain an OS Command Injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24788","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.27973","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.27968","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28011","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28048","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28098","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24788"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/commit/f514f5a12ef0c34853b5370ef55d630b499f977d","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/commit/f514f5a12ef0c34853b5370ef55d630b499f977d"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/releases/tag/3.3.6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/releases/tag/3.3.6"},{"reference_url":"https://jvn.jp/en/jp/JVN27202136","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jvn.jp/en/jp/JVN27202136"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24788","reference_id":"CVE-2026-24788","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24788"},{"reference_url":"https://github.com/advisories/GHSA-4wwf-f7w3-94f5","reference_id":"GHSA-4wwf-f7w3-94f5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4wwf-f7w3-94f5"},{"reference_url":"https://jvn.jp/en/jp/JVN27202136/","reference_id":"JVN27202136","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-02T16:26:17Z/"}],"url":"https://jvn.jp/en/jp/JVN27202136/"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/releases","reference_id":"releases","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-02T16:26:17Z/"}],"url":"https://github.com/RaspAP/raspap-webgui/releases"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73790?format=json","purl":"pkg:composer/billz/raspap-webgui@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/billz/raspap-webgui@3.3.6"}],"aliases":["CVE-2026-24788","GHSA-4wwf-f7w3-94f5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-34cm-gba5-nkau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47234?format=json","vulnerability_id":"VCID-a55j-syy8-3bdd","summary":"raspap-webgui vulnerable to denial of service\nRaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28754","reference_id":"","reference_type":"","scores":[{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58542","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58544","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58529","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58543","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58551","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28754"},{"reference_url":"https://dustri.org/b/carrot-disclosure.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-01T19:08:56Z/"}],"url":"https://dustri.org/b/carrot-disclosure.html"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/commit/d0592b63de9a5da587ab3a51e03e7e566c7f3602","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/commit/d0592b63de9a5da587ab3a51e03e7e566c7f3602"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/pull/1546","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/pull/1546"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/pull/1548","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/pull/1548"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28754","reference_id":"CVE-2024-28754","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28754"},{"reference_url":"https://github.com/advisories/GHSA-vc9f-mgxr-h32r","reference_id":"GHSA-vc9f-mgxr-h32r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vc9f-mgxr-h32r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69289?format=json","purl":"pkg:composer/billz/raspap-webgui@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34cm-gba5-nkau"},{"vulnerability":"VCID-bbb7-6q3n-b7fp"},{"vulnerability":"VCID-xuhk-qah5-a7fh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/billz/raspap-webgui@3.1.0"}],"aliases":["CVE-2024-28754","GHSA-vc9f-mgxr-h32r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a55j-syy8-3bdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57539?format=json","vulnerability_id":"VCID-bbb7-6q3n-b7fp","summary":"raspap-webgui has a Directory Traversal vulnerability\nRaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-44163","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.352","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35149","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35184","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35127","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35162","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-44163"},{"reference_url":"https://gist.github.com/YichaoXu/3694f039a3d1b973efd068e4dc662a41","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-27T20:00:04Z/"}],"url":"https://gist.github.com/YichaoXu/3694f039a3d1b973efd068e4dc662a41"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/blob/125ae7a39ad7c9a71250d3b3e349fd767687ff8d/ajax/networking/get_wgkey.php#L9","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-27T20:00:04Z/"}],"url":"https://github.com/RaspAP/raspap-webgui/blob/125ae7a39ad7c9a71250d3b3e349fd767687ff8d/ajax/networking/get_wgkey.php#L9"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/commit/eb53c46c336384d78336b021adea94d9257e1d67","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/commit/eb53c46c336384d78336b021adea94d9257e1d67"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-44163","reference_id":"CVE-2025-44163","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-44163"},{"reference_url":"https://github.com/advisories/GHSA-277f-37gw-9gmq","reference_id":"GHSA-277f-37gw-9gmq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-277f-37gw-9gmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73790?format=json","purl":"pkg:composer/billz/raspap-webgui@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/billz/raspap-webgui@3.3.6"}],"aliases":["CVE-2025-44163","GHSA-277f-37gw-9gmq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bbb7-6q3n-b7fp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47254?format=json","vulnerability_id":"VCID-fav9-nhr2-hkby","summary":"RaspAP Vulnerable to Code Injection via an Unknown Process in File `includes/provider.php`\nA vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2497","reference_id":"","reference_type":"","scores":[{"value":"0.001","scoring_system":"epss","scoring_elements":"0.27399","published_at":"2026-06-05T12:55:00Z"},{"value":"0.001","scoring_system":"epss","scoring_elements":"0.27268","published_at":"2026-06-09T12:55:00Z"},{"value":"0.001","scoring_system":"epss","scoring_elements":"0.27259","published_at":"2026-06-08T12:55:00Z"},{"value":"0.001","scoring_system":"epss","scoring_elements":"0.2731","published_at":"2026-06-07T12:55:00Z"},{"value":"0.001","scoring_system":"epss","scoring_elements":"0.27349","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2497"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://toradah.notion.site/Code-Injection-Leading-to-Remote-Code-Execution-RCE-in-RaspAP-Web-GUI-d321e1a416694520bec7099253c65060?pvs=4","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:P/A:P"},{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T17:43:42Z/"}],"url":"https://toradah.notion.site/Code-Injection-Leading-to-Remote-Code-Execution-RCE-in-RaspAP-Web-GUI-d321e1a416694520bec7099253c65060?pvs=4"},{"reference_url":"https://vuldb.com/?ctiid.256919","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:P/A:P"},{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T17:43:42Z/"}],"url":"https://vuldb.com/?ctiid.256919"},{"reference_url":"https://vuldb.com/?id.256919","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:P/A:P"},{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T17:43:42Z/"}],"url":"https://vuldb.com/?id.256919"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2497","reference_id":"CVE-2024-2497","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2497"},{"reference_url":"https://github.com/advisories/GHSA-99wg-vmvq-2cp5","reference_id":"GHSA-99wg-vmvq-2cp5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-99wg-vmvq-2cp5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69289?format=json","purl":"pkg:composer/billz/raspap-webgui@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34cm-gba5-nkau"},{"vulnerability":"VCID-bbb7-6q3n-b7fp"},{"vulnerability":"VCID-xuhk-qah5-a7fh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/billz/raspap-webgui@3.1.0"}],"aliases":["CVE-2024-2497","GHSA-99wg-vmvq-2cp5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fav9-nhr2-hkby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41420?format=json","vulnerability_id":"VCID-htzp-we7v-pfh1","summary":"Incorrect Permission Assignment for Critical Resource\nraspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-38557","reference_id":"","reference_type":"","scores":[{"value":"0.00728","scoring_system":"epss","scoring_elements":"0.73033","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00728","scoring_system":"epss","scoring_elements":"0.73039","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00728","scoring_system":"epss","scoring_elements":"0.72995","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00728","scoring_system":"epss","scoring_elements":"0.73034","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00728","scoring_system":"epss","scoring_elements":"0.7301","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00728","scoring_system":"epss","scoring_elements":"0.73022","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-38557"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers"},{"reference_url":"https://zerosecuritypenetrationtesting.com/?page_id=306","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://zerosecuritypenetrationtesting.com/?page_id=306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38557","reference_id":"CVE-2021-38557","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38557"},{"reference_url":"https://github.com/advisories/GHSA-536p-4pcj-5mr9","reference_id":"GHSA-536p-4pcj-5mr9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-536p-4pcj-5mr9"}],"fixed_packages":[],"aliases":["CVE-2021-38557","GHSA-536p-4pcj-5mr9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-htzp-we7v-pfh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45487?format=json","vulnerability_id":"VCID-tg31-d9aa-xuf4","summary":"Improper Neutralization of Special Elements used in a Command ('Command Injection')\nCommand injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30260","reference_id":"","reference_type":"","scores":[{"value":"0.02554","scoring_system":"epss","scoring_elements":"0.85794","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02554","scoring_system":"epss","scoring_elements":"0.8578","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02554","scoring_system":"epss","scoring_elements":"0.85796","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02554","scoring_system":"epss","scoring_elements":"0.85799","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02554","scoring_system":"epss","scoring_elements":"0.85797","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30260"},{"reference_url":"https://eldstal.se/advisories/230328-raspap.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:00:26Z/"}],"url":"https://eldstal.se/advisories/230328-raspap.html"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/commit/238e1670fcef8b18ec4628ee74fc345607536a16","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/RaspAP/raspap-webgui/commit/238e1670fcef8b18ec4628ee74fc345607536a16"},{"reference_url":"https://github.com/RaspAP/raspap-webgui/pull/1322","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:00:26Z/"}],"url":"https://github.com/RaspAP/raspap-webgui/pull/1322"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30260","reference_id":"CVE-2023-30260","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30260"},{"reference_url":"https://github.com/advisories/GHSA-hhqm-f4m4-pq39","reference_id":"GHSA-hhqm-f4m4-pq39","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhqm-f4m4-pq39"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65748?format=json","purl":"pkg:composer/billz/raspap-webgui@2.8.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34cm-gba5-nkau"},{"vulnerability":"VCID-9rxw-gktn-27hw"},{"vulnerability":"VCID-a55j-syy8-3bdd"},{"vulnerability":"VCID-bbb7-6q3n-b7fp"},{"vulnerability":"VCID-fav9-nhr2-hkby"},{"vulnerability":"VCID-xuhk-qah5-a7fh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/billz/raspap-webgui@2.8.9"}],"aliases":["CVE-2023-30260","GHSA-hhqm-f4m4-pq39"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tg31-d9aa-xuf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55585?format=json","vulnerability_id":"VCID-xuhk-qah5-a7fh","summary":"RaspAP allows an attacker to escalate privileges\nRaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41637","reference_id":"","reference_type":"","scores":[{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49791","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49769","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49753","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49783","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49801","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41637"},{"reference_url":"https://blog.0xzon.dev/2024-07-27-CVE-2024-41637","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.0xzon.dev/2024-07-27-CVE-2024-41637"},{"reference_url":"https://github.com/RaspAP/raspap-webgui","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-29T17:34:42Z/"}],"url":"https://github.com/RaspAP/raspap-webgui"},{"reference_url":"https://blog.0xzon.dev/2024-07-27-CVE-2024-41637/","reference_id":"2024-07-27-CVE-2024-41637","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-29T17:34:42Z/"}],"url":"https://blog.0xzon.dev/2024-07-27-CVE-2024-41637/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41637","reference_id":"CVE-2024-41637","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41637"},{"reference_url":"https://github.com/advisories/GHSA-q623-2j2j-23jj","reference_id":"GHSA-q623-2j2j-23jj","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q623-2j2j-23jj"}],"fixed_packages":[],"aliases":["CVE-2024-41637","GHSA-q623-2j2j-23jj"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xuhk-qah5-a7fh"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/billz/raspap-webgui@2.6.3"}