From 751c9906a0e1029bd558c4223ff05c74f5f9753a Mon Sep 17 00:00:00 2001
From: Greg Roach <greg@subaqua.co.uk>
Date: Mon, 27 Apr 2026 21:13:48 +0100
Subject: Use validated variables for admin password during setup wizard

---
 app/Http/RequestHandlers/SetupWizard.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/RequestHandlers/SetupWizard.php b/app/Http/RequestHandlers/SetupWizard.php
index 1d4cf35952..d31b3bc1c7 100644
--- a/app/Http/RequestHandlers/SetupWizard.php
+++ b/app/Http/RequestHandlers/SetupWizard.php
@@ -324,7 +324,7 @@ final class SetupWizard implements RequestHandlerInterface
             $admin->setPreference(UserInterface::PREF_LANGUAGE, $data['lang']);
             $admin->setPreference(UserInterface::PREF_IS_VISIBLE_ONLINE, '1');
         } else {
-            $admin->setPassword($_POST['wtpass']);
+            $admin->setPassword($data['wtpass']);
         }
         // Make the user an administrator
         $admin->setPreference(UserInterface::PREF_IS_ADMINISTRATOR, '1');
-- 
cgit v1.3