An authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser.
auth_users
This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.
"https://github.com/pypa/advisory-database/blob/main/vulns/ajenti-panel/PYSEC-2026-2339.yaml"