RaspAP raspap-webgui, OS Command Injection, CVE-not-provided (High)

Listen to this Post

The vulnerability in RaspAP’s web GUI prior to version 3.3.6 stems from improper neutralization of user-supplied input used in the context of an OS command. A critical flaw exists where the application constructs shell commands using external input, such as parameters from authenticated user requests, without adequate validation or sanitization. Specifically, the application passes unsanitized user-controlled data directly to a system shell or command execution function (e.g., exec(), system()). An authenticated attacker can inject arbitrary commands by crafting malicious input containing shell metacharacters like semicolons (;), ampersands (&), or backticks (`). When the vulnerable code processes this input, the injected command is executed with the same privileges as the web server process, typically running as a privileged user like ‘www-data’ or ‘root’. This allows for complete compromise of the underlying Raspberry Pi system, enabling activities such as installation of malware, data exfiltration, or creation of backdoor user accounts.
Platform: RaspAP raspap-webgui
Version: prior 3.3.6
Vulnerability: OS Command Injection
Severity: High
Date: Feb 2 2026

Prediction: Feb 2026

What Undercode Say:

curl -X POST http://raspap.local/admin/endpoint --data "param=$(cat /etc/passwd)"
// Hypothetical vulnerable code snippet
$user_input = $_POST['hostname'];
system("iwconfig wlan0 essid " . $user_input);

How Exploit:

Authenticated attacker injects commands via crafted POST parameters containing shell metacharacters to execute arbitrary code on the host system.

Protection from this CVE:

Upgrade to version 3.3.6 immediately. Implement strict input validation and use parameterized APIs instead of shell command concatenation.

Impact:

Full system compromise, unauthorized access, potential ransomware deployment, and complete control of the Raspberry Pi device.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top