Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12. | |
| Title | bunkerweb: Read-only Web UI users can delete job cache files due to missing authorization on /cache/ routes | |
| Weaknesses | CWE-285 CWE-862 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T18:06:41.071Z
Reserved: 2026-07-10T18:51:13.920Z
Link: CVE-2026-61718
Updated: 2026-07-17T17:13:34.303Z
No data.
No data.
OpenCVE Enrichment
No data.