eldy/AWStats

eldy/AWStats

www.awstats.org

Releases129

Frequency2 months 5 days

Last Release 10 months ago

Stars430

AWStats Log Analyzer project (official sources)

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-63261 ↗	Mar 20, 2026Friday, 20 March 2026, 21:17	7.8 HIGH	—
AWStats 8.0 is vulnerable to Command Injection via the open function
CVE-2022-46391 ↗	Dec 4, 2022Sunday, 4 December 2022, 03:15	6.1 MEDIUM	—
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.
CVE-2020-35176 ↗	Dec 12, 2020Saturday, 12 December 2020, 00:15	5.3 MEDIUM	5 MEDIUM
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
CVE-2020-29600 ↗	Dec 7, 2020Monday, 7 December 2020, 20:15	9.8 CRITICAL	7.5 HIGH
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
CVE-2017-1000501 ↗	Jan 3, 2018Wednesday, 3 January 2018, 15:29	—	7.5 HIGH
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.