2 matches found
CVE-2026-31881
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...
PT-2026-5367
Name of the Vulnerable Software and Affected Versions Runtipi versions 4.5.0 through 4.7.1 Description Runtipi is a personal homeserver orchestrator. An unauthenticated Path Traversal vulnerability exists in the UserConfigController. This allows a remote user to overwrite the system's...