{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24788", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-27T00:21:50.072Z", "datePublished": "2026-02-02T04:37:03.392Z", "dateUpdated": "2026-02-02T16:28:56.718Z"}, "containers": {"cna": {"affected": [{"vendor": "RaspAP", "product": "raspap-webgui", "versions": [{"version": "versions prior to 3.3.6", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", "lang": "en-US", "cweId": "CWE-78", "type": "CWE"}]}], "references": [{"url": "https://github.com/RaspAP/raspap-webgui/releases"}, {"url": "https://jvn.jp/en/jp/JVN27202136/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-02T04:37:03.392Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T16:26:17.187810Z", "id": "CVE-2026-24788", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:28:56.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24788", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-02T16:26:17.187810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:26:18.304Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "RaspAP", "product": "raspap-webgui", "versions": [{"status": "affected", "version": "versions prior to 3.3.6"}]}], "references": [{"url": "https://github.com/RaspAP/raspap-webgui/releases"}, {"url": "https://jvn.jp/en/jp/JVN27202136/"}], "descriptions": [{"lang": "en", "value": "RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-78", "description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-02T04:37:03.392Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24788", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:28:56.718Z", "dateReserved": "2026-01-27T00:21:50.072Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-02T04:37:03.392Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product."}, {"lang": "es", "value": "Las versiones de RaspAP raspap-webgui anteriores a la 3.3.6 contienen una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo. Si se explota, un usuario que puede iniciar sesi\u00f3n en el producto puede ejecutar un comando arbitrario del sistema operativo."}], "id": "CVE-2026-24788", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-02T05:16:03.940", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://github.com/RaspAP/raspap-webgui/releases"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN27202136/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:46:26.356639+00:00", "value": {"mitigation_remediation": ["Upgrade raspap-webgui to version 3.3.6 or newer to remove the injection flaw", "If an immediate upgrade is not possible, restrict or disable write\u2011access to the vulnerable input endpoints and enforce strong input validation", "Monitor web traffic and system logs for suspicious commands or unusual system activity"], "summary": {"action": "Patch Immediately", "impact": "Remote command execution"}, "threat_synthesis": {"affected_systems": "Vendor RaspAP; product raspap-webgui prior to version 3.3.6 are affected.", "description_and_impact": "The vulnerability is an OS command injection found in RaspAP raspap-webgui. Attackers who are authenticated and can log in can supply malicious input that is directly passed to a system shell without proper sanitization. This flaw allows the execution of arbitrary operating\u2011system commands, compromising confidentiality, integrity, and availability of the affected device. The weakness is classified as CWE\u201178.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating severe risk. EPSS is reported as <1%, implying a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who can log in to the web interface; from that point, the attacker can construct a request that injects arbitrary commands into the underlying shell. The attack path relies on unsanitized user input being executed directly by the OS."}}}}, "created": "2026-02-02T09:26:07.538769+00:00", "title": "OS Command Injection in RaspAP raspap\u2011webgui Allowing Remote Execution", "updated": "2026-04-18T01:00:11.617212+00:00", "vendors": ["raspap", "raspap$PRODUCT$raspap-webgui"]}