ALT-PU-2024-15780-4

Package update adguardhome in branch sisyphus

Version0.108.0-alt1.beta60

Published2026-03-15

Max severityCRITICAL

Severity:

Closed issues (4)

MEDIUM5.4

In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules.

Published: 2022-10-11Modified: 2025-05-20

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

References

CRITICAL9.8

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.

Published: 2026-03-11Modified: 2026-03-13

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-5fg6-wrq4-w5gh

GHSA-5fg6-wrq4-w5gh

CRITICAL9.8

AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass

Published: 2026-03-12

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-mwwc-3jv2-62j3

MEDIUM4.3

AdGuardHome vulnerable to Cross-Site Request Forgery

Published: 2022-10-11Modified: 2022-10-13

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References