aaPanel
Products
1- 9 CVEs
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-37840 | Hig | 0.57 | 8.8 | 0.02 | Aug 2, 2021 | aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential… | ||
| CVE-2020-14950 | Hig | 0.57 | 8.8 | 0.03 | Jun 21, 2020 | aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a modified /system?action=ServiceAdmin request (start, stop, or restart) to the setting menu of Sotfware Store. | ||
| CVE-2020-14421 | Hig | 0.47 | 7.2 | 0.06 | Jun 18, 2020 | aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen. | ||
| CVE-2022-26252 | Med | 0.42 | 6.5 | 0.02 | Mar 27, 2022 | aaPanel v6.8.21 was discovered to be vulnerable to directory traversal. This vulnerability allows attackers to obtain the root user private SSH key(id_rsa). | ||
| CVE-2025-12914 | Med | 0.31 | 4.7 | 0.00 | Nov 8, 2025 | A vulnerability has been found in aaPanel BaoTa up to 11.2.x. This vulnerability affects unknown code of the file /database?action=GetDatabaseAccess of the component Backend. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The… | ||
| CVE-2024-42922 | 0.01 | — | 0.01 | May 21, 2025 | AAPanel v7.0.7 was discovered to contain an OS command injection vulnerability. | |||
| CVE-2026-29858 | 0.00 | — | 0.00 | Mar 18, 2026 | A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure. | |||
| CVE-2026-29856 | 0.00 | — | 0.00 | Mar 18, 2026 | An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input. | |||
| CVE-2026-29859 | 0.00 | — | 0.01 | Mar 18, 2026 | An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file. |
- risk 0.57cvss 8.8epss 0.02
aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential…
- risk 0.57cvss 8.8epss 0.03
aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a modified /system?action=ServiceAdmin request (start, stop, or restart) to the setting menu of Sotfware Store.
- risk 0.47cvss 7.2epss 0.06
aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen.
- risk 0.42cvss 6.5epss 0.02
aaPanel v6.8.21 was discovered to be vulnerable to directory traversal. This vulnerability allows attackers to obtain the root user private SSH key(id_rsa).
- risk 0.31cvss 4.7epss 0.00
A vulnerability has been found in aaPanel BaoTa up to 11.2.x. This vulnerability affects unknown code of the file /database?action=GetDatabaseAccess of the component Backend. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The…
- CVE-2024-42922May 21, 2025risk 0.01cvss —epss 0.01
AAPanel v7.0.7 was discovered to contain an OS command injection vulnerability.
- CVE-2026-29858Mar 18, 2026risk 0.00cvss —epss 0.00
A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.
- CVE-2026-29856Mar 18, 2026risk 0.00cvss —epss 0.00
An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.
- CVE-2026-29859Mar 18, 2026risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.