PYSEC-2026-308

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/cbpi4/PYSEC-2026-308.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-308
Aliases
Published
2026-06-29T11:50:40.064038Z
Modified
2026-07-01T20:22:50.205186Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CraftBeerPi 4 allows arbitrary code execution
Details

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/httpendpoints/httpsystem.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing arbitrary code execution. This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7).

References

Affected packages

PyPI / cbpi4

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.58
Fixed
4.4.1.a1

Affected versions

4.*
4.0.5a13
4.0.5a14
4.0.5a15
4.0.5a16
4.0.5
4.0.6
4.0.7rc1
4.0.7rc3
4.0.7
4.1.0a2
4.1.0a3
4.1.0rc1
4.1.0rc2
4.1.0rc5
4.1.0rc8
4.1.0
4.1.2
4.1.6
4.1.7rc1
4.1.7
4.1.10rc2
4.1.10
4.1.11
4.2.0a6
4.2.0rc1
4.2.0
4.3.0
4.3.1
4.3.2
4.4.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/cbpi4/PYSEC-2026-308.yaml"