| Название | wooey Wooey 0.13.3-dev Code Injection |
|---|
| Описание | A vulnerability was found in wooey Wooey (master branch, post v0.13.2). The add_or_update_script API endpoint (/api/scripts/v1/add-or-update/) in wooey/api/scripts.py only checks if a user is authenticated but does not verify staff/admin privileges. This allows any registered user to upload arbitrary Python scripts via the API, which are then executed by Celery workers, leading to Remote Code Execution (RCE). The attack can be initiated remotely and does not require special privileges beyond a registered account. |
|---|
| Источник | ⚠️ https://github.com/wooey/Wooey/issues/408 |
|---|
| Пользователь | anch0r (UID 96691) |
|---|
| Представление | 10.04.2026 03:52 (18 дни назад) |
|---|
| Модерация | 26.04.2026 21:43 (17 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 359741 [Wooey до 0.13.2 API Endpoint wooey/api/scripts.py add_or_update_script эскалация привилегий] |
|---|
| Баллы | 20 |
|---|