vulnerability

Debian: CVE-2023-30801: qbittorrent -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Oct 10, 2023	May 15, 2025	Mar 30, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Oct 10, 2023

Added

May 15, 2025

Modified

Mar 30, 2026

Description

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

Solution

no-fix-debian-deb-package

References

CVE-2023-30801
https://attackerkb.com/topics/CVE-2023-30801
CWE-1392
CWE-798
EUVD-EUVD-2023-35161
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-35161

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report