CVE-2026-41315

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify crond and /start task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.

Fix

Missing Authorization

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-78

Related Identifiers

CVE-2026-41315

Affected Products

Mdserver-Web

CVE-2026-41315

Weakness Enumeration

Related Identifiers

Affected Products

References · 2