CVE-2024-49366
HIGHnginxui/nginx_ui < 2.0.0-beta.35 - Path Traversal and Arbitrary File Write
Title source: llmDescription
Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of `../../`. Arbitrary files can be written to the server, which may result in loss of permissions. Version 2.0.0-beta.26 fixes the issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-prv4-rx44-f7jr
Release Notes x_refsource_misc
https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36
Scores
CVSS v3
7.5
EPSS
0.0058
EPSS Percentile
43.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
nginxui/nginx_ui
2.0.0 beta1 (48 CPE variants)
nginxui/nginx_ui
< 1.9.9-4
Published
Oct 21, 2024
Tracked Since
Feb 18, 2026