PYSEC-2026-2339

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/ajenti-panel/PYSEC-2026-2339.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2339
Aliases
Published
2026-07-13T14:36:47.165876Z
Modified
2026-07-13T16:31:36.207158213Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L CVSS Calculator
Summary
Ajenti has an authorization bypass during custom package installation
Details

Impact

An authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser.

Patches

This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.

References

Affected packages

PyPI / ajenti-panel

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.15

Affected versions

0.*
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0.10
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.20
0.21
0.22
0.23
0.25
0.26
0.27
0.28
0.29
0.30
0.31
0.32
0.33
2.*
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.50
2.0.51
2.0.52
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
2.0.59
2.0.60
2.0.61
2.0.62
2.0.63
2.0.64
2.0.65
2.0.66
2.0.67
2.0.68
2.0.69
2.0.70
2.0.71
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.1.19
2.1.20
2.1.21
2.1.22
2.1.23
2.1.24
2.1.25
2.1.26
2.1.27
2.1.28
2.1.29
2.1.30
2.1.31
2.1.32
2.1.33
2.1.34
2.1.35
2.1.36
2.1.37
2.1.38
2.1.39
2.1.40
2.1.42
2.1.43
2.1.44
2.2.0
2.2.1
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/ajenti-panel/PYSEC-2026-2339.yaml"