彙總 casbin 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 SSRF與開放重定向 等問題,部分漏洞可能導致 檔案覆寫,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-6815 | An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox. | [email protected] | 5.9 | 0.51% | 2026-05-11 | 2026-06-17 |
| CVE-2026-5469 | A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.1 | 0.30% | 2026-04-03 | 2026-06-17 |
| CVE-2026-5468 | A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.0 | 0.19% | 2026-04-03 | 2026-06-17 |
| CVE-2026-5467 | A vulnerability was identified in Casdoor 2.356.0. Affected by this issue is some unknown functionality of the component OAuth Authorization Request Handler. Such manipulation of the argument redirect_uri leads to open redirect. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.32% | 2026-04-03 | 2026-06-17 |
| CVE-2024-41658 | Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and | [email protected] | 6.1 | 0.42% | 2024-08-20 | 2026-06-17 |
| CVE-2024-41657 | Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make reques | [email protected] | 8.1 | 0.75% | 2024-08-20 | 2026-06-17 |
| CVE-2024-41264 | An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method. | [email protected] | 7.5 | 0.46% | 2024-08-01 | 2026-06-17 |
| CVE-2023-34927 | Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL. | [email protected] | 6.5 | 3.09% | 2023-06-22 | 2026-06-17 |
| CVE-2022-44942 | Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function. | [email protected] | 8.1 | 0.86% | 2022-12-06 | 2026-06-17 |
| CVE-2022-38638 | Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource. | [email protected] | 9.1 | 0.95% | 2022-09-09 | 2026-06-17 |
| CVE-2022-24124 | The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations. | [email protected] | 7.5 | 58.93% | 2022-01-29 | 2026-06-17 |