Key Information Vulnerability Overview Affected Product: RaspAP CVE ID: CVE-2025-50428 CVSS Score: 9.1 (Critical) Vulnerability Type: Post-Authentication OS Command Injection Issue Description In the endpoint, when a user sends a POST request containing malicious parameters in JSON data, command injection can be triggered. The malicious parameters and are not properly validated or escaped, allowing attackers to execute arbitrary commands by crafting specific JSON payloads. Vulnerable Code Example Exploitation Path Attackers can trigger the vulnerability by sending a POST request to the endpoint with malicious parameters. Example request: CVSS Score CVSS v3.1: 9.1 (Critical) Solution / Mitigation Validate and escape input parameters to ensure they do not contain malicious commands. Modify relevant code in and to prevent command injection. Disclosure Timeline 2025-05-09: Vulnerability discovered 2025-06-12: Vendor notified 2025-07-14: Vendor confirmed and fixed 2025-08-12: Public disclosure