Description
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
Published: 2026-02-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote command execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an OS command injection found in RaspAP raspap-webgui. Attackers who are authenticated and can log in can supply malicious input that is directly passed to a system shell without proper sanitization. This flaw allows the execution of arbitrary operating‑system commands, compromising confidentiality, integrity, and availability of the affected device. The weakness is classified as CWE‑78.

Affected Systems

Vendor RaspAP; product raspap-webgui prior to version 3.3.6 are affected.

Risk and Exploitability

The CVSS base score is 8.7, indicating severe risk. EPSS is reported as <1%, implying a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who can log in to the web interface; from that point, the attacker can construct a request that injects arbitrary commands into the underlying shell. The attack path relies on unsanitized user input being executed directly by the OS.

Generated by OpenCVE AI on April 18, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade raspap-webgui to version 3.3.6 or newer to remove the injection flaw
  • If an immediate upgrade is not possible, restrict or disable write‑access to the vulnerable input endpoints and enforce strong input validation
  • Monitor web traffic and system logs for suspicious commands or unusual system activity

Generated by OpenCVE AI on April 18, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wwf-f7w3-94f5 RaspAP raspap-webgui contains an OS Command Injection vulnerability
History

Sat, 18 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in RaspAP raspap‑webgui Allowing Remote Execution

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Raspap
Raspap raspap-webgui
Vendors & Products Raspap
Raspap raspap-webgui

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Raspap Raspap-webgui
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-02T16:28:56.718Z

Reserved: 2026-01-27T00:21:50.072Z

Link: CVE-2026-24788

cve-icon Vulnrichment

Updated: 2026-02-02T16:26:18.304Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T05:16:03.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses