CVE-2026-34234

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0

Description The web-based installer at the endpoint "public/installer/index.php" allows unauthenticated Remote Code Execution (RCE), which is the ability to execute arbitrary commands on a remote machine. The issue occurs because the system executes form handler files before verifying the install.lock file, keeping installer endpoints accessible even after installation. Additionally, these handlers pass unsanitized user input directly into shell commands. This issue is reported to be actively exploited in the wild.

Recommendations Update to version 1.2.0.