Ajenti has an authorization bypass during custom package installation
An authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser.
Advisories for Pypi/Ajenti-Panel package
2026
2018
Path Traversal
Ajenti contains an Improper Error Handling vulnerability in Login JSON request that can result in a path traversal.
Information Exposure
Ajenti contains an Information Disclosure vulnerability that can result in user and system enumeration.
Incorrect Permission Assignment for Critical Resource
Ajenti contains an Insecure Permissions vulnerability that allows normal users to download arbitrary plugins.
Improper Input Validation
Ajenti contains an Input Validation vulnerability. An attacker can freeze the server by sending a long string through the ID parameter.
Cross-Site Request Forgery (CSRF)
Ajenti contains a CSRF vulnerability in the command execution panel of the tool used to manage the server.