CVE-2026-34216

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0

Description An authenticated admin-level user can achieve Remote Code Execution by supplying an arbitrary class name available in the Composer autoloader. The admin settings update endpoint accepts a fully qualified class name from user-supplied input and uses it for dynamic static method calls and object instantiation without allowlist validation. Specifically, the update() method reads the settings class variable from the HTTP request and passes it to new $settings class() and $settings class::getValidations(). This allows the instantiation of any autoloadable class in the application or its dependencies, potentially triggering unintended side effects through constructors or magic methods such as construct, toString, or wakeup, following a PHP object injection pattern.

Recommendations Update to version 1.2.0.