Control Web Panel
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-67888 | Hig | 0.54 | 7.3 | 0.01 | May 8, 2026 | An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated… | ||
| CVE-2025-48703 | 0.18 | — | 1.00 | KEV | Sep 19, 2025 | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | ||
| CVE-2021-45467 | 0.07 | — | 0.71 | Dec 26, 2022 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi… | |||
| CVE-2019-18418 | 0.04 | — | 0.04 | Oct 24, 2019 | clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. | |||
| CVE-2023-42123 | 0.00 | — | 0.02 | May 3, 2024 | Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific… | |||
| CVE-2023-42122 | 0.00 | — | 0.01 | May 3, 2024 | Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the… | |||
| CVE-2023-42121 | 0.00 | — | 0.01 | May 3, 2024 | Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw… | |||
| CVE-2023-42120 | 0.00 | — | 0.02 | May 3, 2024 | Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific… | |||
| CVE-2019-18419 | 0.00 | — | 0.01 | Oct 24, 2019 | A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | |||
| CVE-2019-15571 | 0.00 | — | 0.01 | Aug 26, 2019 | The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php. |
- risk 0.54cvss 7.3epss 0.01
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated…
- risk 0.18cvss —epss 1.00
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
- CVE-2021-45467Dec 26, 2022risk 0.07cvss —epss 0.71
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi…
- CVE-2019-18418Oct 24, 2019risk 0.04cvss —epss 0.04
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
- CVE-2023-42123May 3, 2024risk 0.00cvss —epss 0.02
Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…
- CVE-2023-42122May 3, 2024risk 0.00cvss —epss 0.01
Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the…
- CVE-2023-42121May 3, 2024risk 0.00cvss —epss 0.01
Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw…
- CVE-2023-42120May 3, 2024risk 0.00cvss —epss 0.02
Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…
- CVE-2019-18419Oct 24, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
- CVE-2019-15571Aug 26, 2019risk 0.00cvss —epss 0.01
The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.