Control-Webpanel Webpanel vulnerabilities
82 known vulnerabilities affecting control-webpanel/webpanel.
Total CVEs
82
CISA KEV
2
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL34HIGH23MEDIUM25
Vulnerabilities
Page 1 of 5
CVE-2025-48703P1CRITICALCVSS 9.0KEVPoCfixed in 0.9.8.12052025-09-19
CVE-2025-48703 [CRITICAL] CWE-78 CVE-2025-48703: CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
nvd
CVE-2022-44877P1CRITICALCVSS 9.8KEVPoCfixed in 0.9.8.11472023-01-05
CVE-2022-44877 [CRITICAL] CWE-78 CVE-2022-44877: login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
nvd
CVE-2021-45467P1CRITICALCVSS 9.8ExploitedPoCfixed in 0.9.8.11072022-12-26
CVE-2021-45467 [CRITICAL] CWE-862 CVE-2021-45467: In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker ca
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%
nvd
CVE-2018-18323P2HIGHCVSS 7.5PoCv0.9.8.4802018-10-15
CVE-2018-18323 [HIGH] CWE-22 CVE-2018-18323: CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory trav
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.
nvd
CVE-2019-13360P2CRITICALCVSS 9.8PoCv0.9.8.8362019-07-16
CVE-2019-13360 [CRITICAL] CWE-639 CVE-2019-13360: In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authenticat
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.
nvd
CVE-2018-18322P2CRITICALCVSS 9.8PoCv0.9.8.4802018-10-15
CVE-2018-18322 [CRITICAL] CWE-78 CVE-2018-18322: CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharact
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
nvd
CVE-2019-13605P2HIGHCVSS 8.8PoCv0.9.8.8362019-07-16
CVE-2019-13605 [HIGH] CVE-2019-13605: In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypas
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360.
nvd
CVE-2019-13359P2HIGHCVSS 7.5PoCv0.9.8.8362019-07-16
CVE-2019-13359 [HIGH] CWE-434 CVE-2019-13359: In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal use
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.
nvd
CVE-2021-45466P2CRITICALCVSS 9.8fixed in 0.9.8.11072022-12-26
CVE-2021-45466 [CRITICAL] CWE-863 CVE-2021-45466: In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted r
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
nvd
CVE-2020-15422P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15422 [CRITICAL] CWE-78 CVE-2020-15422: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied string b
nvd
CVE-2020-15434P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15434 [CRITICAL] CWE-78 CVE-2020-15434: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the canal parameter, the process does not properly validate a user-supplied string before
nvd
CVE-2020-15612P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15612 [CRITICAL] CWE-78 CVE-2020-15612: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_ftp_manager.php. When parsing the userLogin parameter, the process does not properly validate a user-supplied string
nvd
CVE-2020-15435P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15435 [CRITICAL] CWE-78 CVE-2020-15435: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_start parameter, the process does not properly validate a user-supplied strin
nvd
CVE-2020-15611P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15611 [CRITICAL] CWE-78 CVE-2020-15611: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_restart parameter, the process does not properly validate a user-supplied str
nvd
CVE-2020-15427P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15427 [CRITICAL] CWE-78 CVE-2020-15427: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_disk_usage.php. When parsing the folderName parameter, the process does not properly validate a user-supplied string
nvd
CVE-2020-15423P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15423 [CRITICAL] CWE-78 CVE-2020-15423: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the dominio parameter, the process does not properly validate a user-supplied string b
nvd
CVE-2020-15426P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15426 [CRITICAL] CWE-78 CVE-2020-15426: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_migration_cpanel.php. When parsing the serverip parameter, the process does not properly validate a user-supplied str
nvd
CVE-2020-15610P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15610 [CRITICAL] CWE-78 CVE-2020-15610: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the modulo parameter, the process does not properly validate a user-supplied string before
nvd
CVE-2020-15433P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15433 [CRITICAL] CWE-78 CVE-2020-15433: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the phpversion parameter, the process does not properly validate a user-supplied string be
nvd
CVE-2020-15421P2CRITICALCVSS 9.8v0.9.8.9232020-07-28
CVE-2020-15421 [CRITICAL] CWE-78 CVE-2020-15421: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ce
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the check_ip parameter, the process does not properly validate a user-supplied string
nvd
1 / 5Next →