CVE-2026-24788
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
AnalysisAI
Authenticated command injection in RaspAP versions before 3.3.6 allows logged-in users to execute arbitrary operating system commands with full system privileges. The vulnerability requires valid credentials but presents no additional complexity barriers, making it a critical post-authentication risk for deployments where user access controls may be weak. No patch is currently available.
Technical ContextAI
Classified as CWE-78 (OS Command Injection). Affects RaspAP raspap-webgu. RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
Affected ProductsAI
Product: RaspAP raspap-webgu. Versions: up to 3.3.6.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4wwf-f7w3-94f5