High severityNVD Advisory· Published Aug 1, 2025· Updated Apr 15, 2026

CVE-2013-10053

Description

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rbnvd
web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.phpnvd
www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-executionnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.051
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000