GenieACS has an unauthenticated access vulnerability via the NBI API endpoint
In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
Advisories for Npm/Genieacs package
2026
2022
OS Command Injection in GenieACS
In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.