Description
Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been fixed in version 3.3.2.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/kottster/kottster/security/advisories/GHSA-j3w7-9qc3-g96p
Scores
CVSS v4
7.2
EPSS
0.0097
EPSS Percentile
76.8%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
CWE-78
Status
published
Products (2)
kottster/kottster
>= 3.2.0, < 3.3.2
kottster/server
3.2.0 - 3.3.2npm
Published
Oct 23, 2025
Tracked Since
Feb 18, 2026