Lucene search
K

134 matches found

Nuclei
Nuclei
added yesterday29 views

Control Web Panel (CWP) - File Inclusion

In CWP Control Web Panel, previously CentOS Web Panel before version 0.9.8.1107, an unauthenticated attacker can abuse null byte %00 injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be...

9.8CVSS7.3AI score0.70947EPSS
Exploits1References2
Nuclei
Nuclei
added 2026/07/07 3:1 a.m.20 views

CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution

CWP Control Web Panel 0.9.8.1205 contains a remote code execution caused by shell metacharacters in the ttotal parameter in filemanager changePerm request, letting unauthenticated attackers execute code remotely, exploit requires knowledge of a valid non-root username. id: CVE-2025-48703 info:...

9CVSS8AI score0.99589EPSS
Exploits3References2
NVD
NVD
added 2026/07/01 4:16 p.m.17 views

CVE-2026-57517

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...

9.8CVSS0.00587EPSS
Exploits2References4
Cvelist
Cvelist
added 2026/07/01 3:11 p.m.37 views

CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...

9.8CVSS0.00587EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/07/01 3:11 p.m.11 views

CVE-2026-57517

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...

9.8CVSS6.7AI score0.00587EPSS
Exploits2References4
CVE
CVE
added 2026/07/01 3:11 p.m.56 views

CVE-2026-57517

Control Web Panel prior to version 0.9.8.1225 is affected by CVE-2026-57517, a blind SQL injection via the userRes POST parameter at the user endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leveraging MySQL root privileges obtained...

9.8CVSS6.7AI score0.00587EPSS
Exploits2References4
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.9 views

PT-2026-54885

Name of the Vulnerable Software and Affected Versions Control Web Panel versions prior to 0.9.8.1225 Description An unauthenticated remote attacker can execute arbitrary SQL queries due to improper input validation and unsafe SQL query construction. This issue occurs at the 'user' endpoint throug...

9.8CVSS6.8AI score0.00587EPSS
Exploits2References13
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.9 views

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

7.3CVSS5.9AI score0.01186EPSS
Exploits3References1
EUVD
EUVD
added 2026/05/08 9:31 a.m.15 views

EUVD-2025-209736

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

7.3CVSS6.1AI score0.01186EPSS
Exploits3References4
NVD
NVD
added 2026/05/08 7:16 a.m.20 views

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

7.3CVSS0.01186EPSS
Exploits3References3
CVE
CVE
added 2026/05/08 12:0 a.m.52 views

CVE-2025-67888

Control Web Panel (CWP) before 0.9.8.1209 is affected by an unauthenticated OS command injection flaw. User input passed in the GET parameter “key” to /admin/index.php (when the “api” parameter is set) is not properly sanitized, allowing an attacker to inject and execute arbitrary commands with r...

7.3CVSS6.1AI score0.01186EPSS
Exploits3References3
Cvelist
Cvelist
added 2026/05/08 12:0 a.m.43 views

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

0.01186EPSS
Exploits3References2
ATTACKERKB
ATTACKERKB
added 2026/05/08 12:0 a.m.9 views

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

7.3CVSS6.1AI score0.01186EPSS
Exploits3References4
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.18 views

PT-2026-38670

Name of the Vulnerable Software and Affected Versions Control Web Panel CWP versions prior to 0.9.8.1209 Description Unauthenticated attackers can inject and execute arbitrary OS commands with root privileges on the web server. This occurs because user input provided through the key GET parameter...

7.3CVSS6.1AI score0.01186EPSS
Exploits3References8
Vulnrichment
Vulnrichment
added 2026/05/08 12:0 a.m.10 views

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

6.1AI score0.01186EPSS
Exploits3References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.17 views

Control Web Panel 操作系统命令注入漏洞

Control Web Panel is a Linux virtual host control panel. Versions of Control Web Panel prior to 0.9.8.1209 contained a vulnerability related to operating system command injection. This vulnerability stemmed from improper handling of the key parameter in /admin/index.php, allowing unauthenticated...

7.3CVSS6.1AI score0.01186EPSS
Exploits3References1
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.5 views

PT-2026-30044

Name of the Vulnerable Software and Affected Versions Control Web Panel affected versions not specified Description A remote code execution issue exists in Control Web Panel. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability...

6.5AI score
Exploits0References5
Saint
Saint
added 2026/01/21 12:0 a.m.123 views

Control Web Panel key parameter command injection

Added: 01/21/2026 Background Control Web Panel is a web hosting panel for Linux. Problem A command injection vulnerability allows remote attackers to execute arbitrary commands by sending a specially crafted key parameter. Resolution Upgrade to Control Web Panel 0.9.8.1209 or higher. References...

6AI score
Exploits0
Saint
Saint
added 2026/01/21 12:0 a.m.119 views

Control Web Panel key parameter command injection

Added: 01/21/2026 Background Control Web Panel is a web hosting panel for Linux. Problem A command injection vulnerability allows remote attackers to execute arbitrary commands by sending a specially crafted key parameter. Resolution Upgrade to Control Web Panel 0.9.8.1209 or higher. References...

6.2AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2026/01/16 6:49 p.m.30 views

Metasploit Wrap-Up 01/16/2026

Persistence, dMSA Abuse & RCE Goodies This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse...

9.9CVSS7.5AI score0.97875EPSS
Exploits35
Rows per page
Query Builder