cbcvebase.

Cyberpanel vulnerabilities

10 known vulnerabilities affecting cyberpanel/cyberpanel.

Total CVEs
10
CISA KEV
2
actively exploited
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL4HIGH3MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2024-51378P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 2.3.82024-10-29
CVE-2024-51378 [CRITICAL] CWE-78 CVE-2024-51378: getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allow getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as expl
nvd
CVE-2024-51567P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 2.3.82024-10-29
CVE-2024-51567 [CRITICAL] CWE-306 CVE-2024-51567: upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remot upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild i
nvd
CVE-2024-51568P1CRITICALCVSS 9.8ExploitedPoCRansomwarefixed in 2.3.52024-10-29
CVE-2024-51568 [CRITICAL] CWE-78 CVE-2024-51568: CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUt CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
nvd
CVE-2026-41473P2CRITICALCVSS 9.1fixed in 2.4.42026-04-24
CVE-2026-41473 [CRITICAL] CWE-306 CVE-2026-41473: CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authenticati
nvd
CVE-2024-53376P2HIGHCVSS 8.8fixed in 2.3.82024-12-16
CVE-2024-53376 [HIGH] CWE-78 CVE-2024-53376: CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell me CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the phpSelection field to the websites/submitWebsiteCreation URI.
nvd
CVE-2021-47949P2HIGHCVSS 8.8≤ 2.12026-05-10
CVE-2021-47949 [HIGH] CWE-59 CVE-2021-47949: CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to rea CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read se
nvd
CVE-2019-13056P3HIGHCVSS 8.8≤ 1.8.42019-07-02
CVE-2019-13056 [HIGH] CWE-352 CVE-2019-13056: An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection.
nvd
CVE-2026-41472P3MEDIUMCVSS 6.1fixed in 2.4.42026-04-24
CVE-2026-41472 [MEDIUM] CWE-79 CVE-2026-41472: CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Sca CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that
nvd
CVE-2024-54679P4MEDIUMCVSS 6.5≤ 2.3.72024-12-05
CVE-2024-54679 [MEDIUM] CWE-862 CVE-2024-54679: CyberPanel (aka Cyber Panel) before 6778ad1 does not require the FilemanagerAdmin capability for res CyberPanel (aka Cyber Panel) before 6778ad1 does not require the FilemanagerAdmin capability for restartMySQL actions.
nvd
CVE-2024-56112P4MEDIUMCVSS 6.1fixed in 2024-11-112024-12-16
CVE-2024-56112 [MEDIUM] CWE-79 CVE-2024-56112: CyberPanel (aka Cyber Panel) before f0cf648 allows XSS via token or username to plogical/phpmyadmins CyberPanel (aka Cyber Panel) before f0cf648 allows XSS via token or username to plogical/phpmyadminsignin.php.
nvd
Cyberpanel vulnerabilities | cvebase