raspap 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に パス処理の欠陥、vendor risk denial of service, and vendor risk command injection などに関し、一部は ファイル上書き を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-50428 | In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input passed via the interface parameter. | [email protected] | 9.8 | 3.84% | 2025-08-27 | 2025-09-09 |
| CVE-2025-44163 | RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution. | [email protected] | 6.3 | 0.07% | 2025-06-27 | 2025-11-10 |
| CVE-2024-36622 | In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter. | [email protected] | 9.8 | 0.83% | 2024-11-29 | 2025-07-02 |
| CVE-2024-2497 | A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did | [email protected] | 4.7 | 0.07% | 2024-03-15 | 2025-04-09 |
| CVE-2024-28754 | RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request. | [email protected] | 7.5 | 0.36% | 2024-03-09 | 2025-05-01 |
| CVE-2024-28753 | RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request. | [email protected] | 6.5 | 0.06% | 2024-03-09 | 2025-05-01 |
| CVE-2022-39987 | A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. | [email protected] | 8.8 | 76.47% | 2023-08-01 | 2024-11-21 |
| CVE-2022-39986 | A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. | [email protected] | 9.8 | 93.06% | 2023-08-01 | 2024-11-21 |
| CVE-2023-30260 | Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. | [email protected] | 8.8 | 2.55% | 2023-06-23 | 2024-11-21 |
| CVE-2021-38557 | raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. | [email protected] | 8.8 | 0.73% | 2021-08-24 | 2024-11-21 |
| CVE-2021-38556 | includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. | [email protected] | 8.8 | 18.63% | 2021-08-24 | 2024-11-21 |
| CVE-2021-33358 | Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands. | [email protected] | 8.8 | 0.81% | 2021-06-09 | 2024-11-21 |
| CVE-2021-33357 | A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. | [email protected] | 9.8 | 92.81% | 2021-06-09 | 2024-11-21 |
| CVE-2021-33356 | Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges. | [email protected] | 8.8 | 11.12% | 2021-06-09 | 2024-11-21 |
| CVE-2020-24572 | An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code). | [email protected] | 8.8 | 42.14% | 2020-08-24 | 2024-11-21 |