Description
ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards handler-added headers verbatim, and finalizes responses through WSGI start_response() without adding anti-framing protections such as X-Frame-Options or a Content-Security-Policy frame-ancestors restriction.
Published: 2026-07-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
Title Ajenti Clickjacking Vulnerability in Login and Admin UI

Wed, 15 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Title Ajenti Clickjacking Vulnerability in Login and Admin UI

Mon, 13 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
Title Ajenti Clickjacking Vulnerability in Login and Admin UI

Sat, 11 Jul 2026 22:00:00 +0000

Type Values Removed Values Added
Title Ajenti Clickjacking Vulnerability in Login and Admin UI

Fri, 10 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Title Ajenti Clickjacking Vulnerability in Login and Admin UI

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Title Clickjacking Vulnerability in Ajenti Login and Admin UI
Weaknesses CWE-1021

Wed, 08 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Title Clickjacking Vulnerability in Ajenti Login and Admin UI
Weaknesses CWE-1021

Wed, 08 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Title Clickjacking Vulnerability in Ajenti Login and Administrative UI
Weaknesses CWE-1021

Tue, 07 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Title Clickjacking Vulnerability in Ajenti Login and Administrative UI
Weaknesses CWE-1021

Mon, 06 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Ajenti
Ajenti ajenti
Vendors & Products Ajenti
Ajenti ajenti

Mon, 06 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards handler-added headers verbatim, and finalizes responses through WSGI start_response() without adding anti-framing protections such as X-Frame-Options or a Content-Security-Policy frame-ancestors restriction.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-09T15:00:53.847Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38979

cve-icon Vulnrichment

Updated: 2026-07-07T14:28:06.299Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T00:30:03Z

Weaknesses