CVE-2026-34234
Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CtrlPanel installer in versions ≤1.1.1 allows unauthenticated RCE due to premature form handler execution and unsanitized shell input, actively exploited.
Vulnerability
CtrlPanel versions 1.1.1 and prior contain a critical vulnerability in the web-based installer (public/installer/index.php). The installer includes and executes form handler files before checking for the presence of install.lock, meaning installer endpoints remain reachable on already-installed instances. Additionally, user-supplied input is passed unsanitized into shell commands via run_console() in src/forms/smtp.php and src/functions/shell.php, leading to Remote Code Execution (RCE). This issue is reported to be actively exploited in the wild [1].
Exploitation
An unauthenticated attacker with network access to the CtrlPanel instance can send crafted POST requests to the installer endpoints. By submitting a payload such as asdasd'' && bash -c 'malicious_command' in the $value parameter, the attacker can break out of the single-quoted context in the shell command and execute arbitrary commands. The exploitation does not require any prior authentication or user interaction [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the web server process. The attacker can achieve full compromise of the server, including data exfiltration, installation of backdoors, or lateral movement within the hosting environment. The vulnerability is rated CVSS 10.0 (Critical) [1].
Mitigation
The issue is fixed in version 1.2.0, released on 2026-05-19 [2]. Users must upgrade to version 1.2.0 immediately. No workaround is available for unpatched instances. The vulnerability is actively exploited, and CISA has not yet listed it in KEV as of the publication date [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.