VYPR

aaPanel

by aaPanel

CVEs (9)

  • CVE-2021-37840HigAug 2, 2021
    risk 0.57cvss 8.8epss 0.02

    aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential…

  • CVE-2020-14950HigJun 21, 2020
    risk 0.57cvss 8.8epss 0.03

    aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a modified /system?action=ServiceAdmin request (start, stop, or restart) to the setting menu of Sotfware Store.

  • CVE-2020-14421HigJun 18, 2020
    risk 0.47cvss 7.2epss 0.06

    aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen.

  • CVE-2022-26252MedMar 27, 2022
    risk 0.42cvss 6.5epss 0.02

    aaPanel v6.8.21 was discovered to be vulnerable to directory traversal. This vulnerability allows attackers to obtain the root user private SSH key(id_rsa).

  • CVE-2025-12914MedNov 8, 2025
    risk 0.31cvss 4.7epss 0.00

    A vulnerability has been found in aaPanel BaoTa up to 11.2.x. This vulnerability affects unknown code of the file /database?action=GetDatabaseAccess of the component Backend. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The…

  • CVE-2024-42922May 21, 2025
    risk 0.01cvss epss 0.01

    AAPanel v7.0.7 was discovered to contain an OS command injection vulnerability.

  • CVE-2026-29858Mar 18, 2026
    risk 0.00cvss epss 0.00

    A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.

  • CVE-2026-29856Mar 18, 2026
    risk 0.00cvss epss 0.00

    An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.

  • CVE-2026-29859Mar 18, 2026
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.