Unrated severityCISA KEVNVD Advisory· Published Oct 29, 2024· Updated Oct 21, 2025

CVE-2024-51567

Description

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Affected products

CyberPanel/CyberPaneldescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cwe.mitre.org/data/definitions/420.htmlmitre
cwe.mitre.org/data/definitions/78.htmlmitre
cyberpanel.net/KnowledgeBase/home/change-logs/mitre
cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanelmitre
dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rcemitre
github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515mitre
www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060