PT-2026-54885 · Unknown · Control Web Panel

Egidio Romano

·

Published

2026-07-01

·

Updated

2026-07-03

·

CVE-2026-57517

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Control Web Panel versions prior to 0.9.8.1225
Description An unauthenticated remote attacker can execute arbitrary SQL queries due to improper input validation and unsafe SQL query construction. This issue occurs at the 'user' endpoint through the userRes POST parameter. Approximately 896,400 devices worldwide are potentially affected. By exploiting MySQL root privileges, an attacker can use the INTO DUMPFILE command to write a PHP webshell into the web-accessible Roundcube logs directory, resulting in remote code execution as the cwpsvc account and potential full server compromise.
Recommendations Upgrade to version 0.9.8.1225. As a temporary mitigation, restrict access to the 'user' endpoint or avoid using the userRes parameter until the update is applied.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57517

Affected Products

Control Web Panel