Improper Access Control

Kottster is vulnerable to Improper Access Control. The vulnerability is due to insecure handling of development-mode functionality, which allows an unauthenticated attacker to execute arbitrary code on the server when the application is running in development mode...

CVE-2025-62713

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution RCE vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been...

CVE-2025-62713

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution RCE vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been...

CVE-2025-62713 Kottster app reinitialization can be re-triggered allowing command injection in development mode

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution RCE vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been...

CVE-2025-62713 Kottster app reinitialization can be re-triggered allowing command injection in development mode

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution RCE vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been...

CVE-2025-62713 Kottster app reinitialization can be re-triggered allowing command injection in development mode

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution RCE vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been...

CVE-2025-62713

Kottster is a self-hosted Node.js admin panel. A pre-authentication remote code execution (RCE) vulnerability exists in development mode for versions 3.2.0–before 3.3.2; production deployments are unaffected. The issue allows code execution via development-mode behaviors, and has been fixed in ve...

Access Control Bypass

Overview @kottster/cli is a CLI for Kottster Affected versions of this package are vulnerable to Access Control Bypass via the initApp and installPackagesForDataSource actions. An attacker can gain unauthorized administrative access and execute arbitrary system commands by repeatedly triggering...

Access Control Bypass

Overview @kottster/server is an Instant admin panel for your project Affected versions of this package are vulnerable to Access Control Bypass via the initApp and installPackagesForDataSource actions. An attacker can gain unauthorized administrative access and execute arbitrary system commands by...

EUVD-2025-35701

Kottster app reinitialization can be re-triggered allowing command injection in development mode...

Access Control Bypass

Overview @kottster/common is a Common types and utilities for Kottster Affected versions of this package are vulnerable to Access Control Bypass via the initApp and installPackagesForDataSource actions. An attacker can gain unauthorized administrative access and execute arbitrary system commands ...

Kottster 访问控制错误漏洞

Kottster is an instant Node.js admin panel from kottster open source. It is secure, self-hosted and easy to set up. An access control error vulnerability exists in Kottster versions 3.2.0 through prior to 3.3.2, which stems from a pre-authenticated remote code execution vulnerability in developme...

PT-2025-43531

Name of the Vulnerable Software and Affected Versions Kottster versions 3.2.0 through 3.3.1 Description Kottster is a self-hosted Node.js admin panel. Versions 3.2.0 through 3.3.1 contain a pre-authentication remote code execution RCE vulnerability when running in development mode. Production...