includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.