CVE-2026-24788: RaspAP raspap-webgui contains an OS Command Injection vulnerability

February 2, 2026

RaspAP raspap-webgui versions prior to 3.3.6 contain an OS Command Injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.

References

github.com/RaspAP/raspap-webgui
github.com/RaspAP/raspap-webgui/commit/f514f5a12ef0c34853b5370ef55d630b499f977d
github.com/RaspAP/raspap-webgui/releases/tag/3.3.6
github.com/advisories/GHSA-4wwf-f7w3-94f5
jvn.jp/en/jp/JVN27202136
nvd.nist.gov/vuln/detail/CVE-2026-24788

Code Behaviors & Features

Detect and mitigate CVE-2026-24788 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →