CVE-2026-47277
- EPSS 0.4%
- Veröffentlicht 16.06.2026 21:43:24
- Zuletzt bearbeitet 16.06.2026 21:43:24
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-s...
CVE-2026-32729
- EPSS 0.34%
- Veröffentlicht 13.03.2026 21:41:11
- Zuletzt bearbeitet 17.03.2026 19:01:54
Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via...
CVE-2026-31881
- EPSS 0.43%
- Veröffentlicht 11.03.2026 18:37:11
- Zuletzt bearbeitet 16.03.2026 20:53:43
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password...
CVE-2026-25116
- EPSS 0.57%
- Veröffentlicht 29.01.2026 21:49:49
- Zuletzt bearbeitet 26.02.2026 21:36:19
Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` c...
CVE-2026-24129
- EPSS 0.46%
- Veröffentlicht 22.01.2026 22:41:28
- Zuletzt bearbeitet 26.02.2026 21:38:33
Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacha...