RaspAP (aka raspap-webgui) up to and including 3.0.9 allows remote malicious users to read the /etc/passwd file via a crafted request.