CVE-2026-57517
Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter
Description
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.
INFO
Published Date :
July 1, 2026, 3:11 p.m.
Last Modified :
July 1, 2026, 3:11 p.m.
Remotely Exploit :
Yes !
Source :
VulnCheck
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE | ||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update Control Web Panel to version 0.9.8.1225 or later.
- Apply vendor patches and security updates promptly.
- Sanitize all user inputs on the server-side.
- Limit database user privileges.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-57517 vulnerability anywhere in the article.