PT-2026-38670 · Unknown+1 · Control Web Panel+2
Published
2026-05-08
·
Updated
2026-05-26
·
CVE-2025-67888
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Control Web Panel (CWP) versions prior to 0.9.8.1209
Description
Unauthenticated attackers can inject and execute arbitrary OS commands with root privileges on the web server. This occurs because user input provided through the
key GET parameter in the '/admin/index.php' endpoint is not properly sanitized when the api parameter is set. This issue requires the presence of Softaculous or SitePad.Recommendations
Update to version 0.9.8.1209 or later.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Control Web Panel
Sitepad
Softaculous