Submit #801533: wooey Wooey 0.13.3-dev Code Injectioninfo

Titlewooey Wooey 0.13.3-dev Code Injection
DescriptionA vulnerability was found in wooey Wooey (master branch, post v0.13.2). The add_or_update_script API endpoint (/api/scripts/v1/add-or-update/) in wooey/api/scripts.py only checks if a user is authenticated but does not verify staff/admin privileges. This allows any registered user to upload arbitrary Python scripts via the API, which are then executed by Celery workers, leading to Remote Code Execution (RCE). The attack can be initiated remotely and does not require special privileges beyond a registered account.
Source⚠️ https://github.com/wooey/Wooey/issues/408
User
 anch0r (UID 96691)
Submission04/10/2026 03:52 (3 months ago)
Moderation04/26/2026 21:43 (17 days later)
StatusAccepted
VulDB entry359741 [Wooey up to 0.13.2 API Endpoint wooey/api/scripts.py add_or_update_script improper authorization]
Points20

Want to know what is going to be exploited?

We predict KEV entries!