VYPR

Control Web Panel

by Control By Web

CVEs (10)

  • CVE-2025-67888HigMay 8, 2026
    risk 0.54cvss 7.3epss 0.01

    An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated…

  • CVE-2025-48703KEVSep 19, 2025
    risk 0.18cvss epss 1.00

    CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

  • CVE-2021-45467Dec 26, 2022
    risk 0.07cvss epss 0.71

    In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi…

  • CVE-2019-18418Oct 24, 2019
    risk 0.04cvss epss 0.04

    clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.

  • CVE-2023-42123May 3, 2024
    risk 0.00cvss epss 0.02

    Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2023-42122May 3, 2024
    risk 0.00cvss epss 0.01

    Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the…

  • CVE-2023-42121May 3, 2024
    risk 0.00cvss epss 0.01

    Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw…

  • CVE-2023-42120May 3, 2024
    risk 0.00cvss epss 0.02

    Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2019-18419Oct 24, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

  • CVE-2019-15571Aug 26, 2019
    risk 0.00cvss epss 0.01

    The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.