Skip to main content

Bunkerweb

2 CVEs product

Monthly

CVE-2026-54728 MEDIUM PATCH This Month

Privilege escalation in BunkerWeb's UI and API allows a low-privileged authenticated user to inject attacker-controlled Datalog facts into signed Biscuit authorization tokens by manipulating the HTTP Host header, which was interpolated directly into the token builder string without parameterization. Affected are BunkerWeb open-source versions prior to 1.6.12 and BunkerWeb PRO prior to 0.57. No public exploit identified at time of analysis, but the public commit diff fully documents the injection mechanism, making reproduction straightforward for any authenticated low-privileged account holder.

Privilege Escalation Bunkerweb
NVD GitHub
CVSS 4.0
6.1
CVE-2026-61718 MEDIUM PATCH This Month

Improper authorization in BunkerWeb's web UI middleware allows authenticated reader-role accounts to permanently delete WAF job cache files in versions 1.6.2 through 1.6.11. The BiscuitMiddleware bypass list incorrectly included the `/cache/` URL prefix, causing the `POST /cache/delete` route to skip Biscuit role-based access control and enforce only Flask's `@login_required` decorator, making write-privileged cache operations accessible to any authenticated user. Deleted cache can include blacklists, GeoIP data, ModSecurity CRS rules, CrowdSec data, and ACME/Let's Encrypt certificate material, degrading WAF protective capability. No public exploit is identified at time of analysis; vendor-released patch is available in version 1.6.12.

Authentication Bypass Bunkerweb
NVD GitHub
CVSS 3.1
5.4
CVSS 6.1
MEDIUM PATCH This Month

Privilege escalation in BunkerWeb's UI and API allows a low-privileged authenticated user to inject attacker-controlled Datalog facts into signed Biscuit authorization tokens by manipulating the HTTP Host header, which was interpolated directly into the token builder string without parameterization. Affected are BunkerWeb open-source versions prior to 1.6.12 and BunkerWeb PRO prior to 0.57. No public exploit identified at time of analysis, but the public commit diff fully documents the injection mechanism, making reproduction straightforward for any authenticated low-privileged account holder.

Privilege Escalation Bunkerweb
NVD GitHub
CVSS 5.4
MEDIUM PATCH This Month

Improper authorization in BunkerWeb's web UI middleware allows authenticated reader-role accounts to permanently delete WAF job cache files in versions 1.6.2 through 1.6.11. The BiscuitMiddleware bypass list incorrectly included the `/cache/` URL prefix, causing the `POST /cache/delete` route to skip Biscuit role-based access control and enforce only Flask's `@login_required` decorator, making write-privileged cache operations accessible to any authenticated user. Deleted cache can include blacklists, GeoIP data, ModSecurity CRS rules, CrowdSec data, and ACME/Let's Encrypt certificate material, degrading WAF protective capability. No public exploit is identified at time of analysis; vendor-released patch is available in version 1.6.12.

Authentication Bypass Bunkerweb
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy