Centos Web Panel
Products
2- 77 CVEs
- 13 CVEs
Recent CVEs
82| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-5961 | Med | 0.40 | 6.1 | 0.03 | Jan 22, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file. | ||
| CVE-2025-48703 | 0.18 | — | 1.00 | KEV | Sep 19, 2025 | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | ||
| CVE-2018-18323 | 0.09 | — | 0.71 | Oct 15, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI. | |||
| CVE-2021-31324 | 0.07 | — | 0.34 | May 18, 2021 | The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. | |||
| CVE-2021-31316 | 0.05 | — | 0.13 | May 18, 2021 | The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. | |||
| CVE-2020-10230 | 0.05 | — | 0.15 | Mar 16, 2020 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter. | |||
| CVE-2019-13360 | 0.05 | — | 0.24 | Jul 16, 2019 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. | |||
| CVE-2019-13383 | 0.05 | — | 0.14 | Jul 16, 2019 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response. | |||
| CVE-2019-13359 | 0.04 | — | 0.26 | Jul 16, 2019 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user. | |||
| CVE-2018-18322 | 0.04 | — | 0.15 | Oct 15, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter. | |||
| CVE-2020-15609 | 0.03 | — | 0.08 | Jul 28, 2020 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_stop… | |||
| CVE-2019-13605 | 0.03 | — | 0.15 | Jul 16, 2019 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is… | |||
| CVE-2019-11429 | 0.03 | — | 0.06 | May 13, 2019 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen. | |||
| CVE-2019-10893 | 0.03 | — | 0.03 | Apr 18, 2019 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save… | |||
| CVE-2019-10261 | 0.03 | — | 0.02 | Apr 3, 2019 | CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action. | |||
| CVE-2019-7646 | 0.03 | — | 0.07 | Mar 26, 2019 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter. | |||
| CVE-2018-18774 | 0.03 | — | 0.05 | Nov 20, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter. | |||
| CVE-2018-18772 | 0.03 | — | 0.03 | Nov 20, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command. | |||
| CVE-2018-18773 | 0.03 | — | 0.03 | Nov 20, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password. | |||
| CVE-2018-18324 | 0.03 | — | 0.03 | Oct 15, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter. |
- risk 0.40cvss 6.1epss 0.03
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.
- risk 0.18cvss —epss 1.00
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
- CVE-2018-18323Oct 15, 2018risk 0.09cvss —epss 0.71
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.
- CVE-2021-31324May 18, 2021risk 0.07cvss —epss 0.34
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
- CVE-2021-31316May 18, 2021risk 0.05cvss —epss 0.13
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
- CVE-2020-10230Mar 16, 2020risk 0.05cvss —epss 0.15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.
- CVE-2019-13360Jul 16, 2019risk 0.05cvss —epss 0.24
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.
- CVE-2019-13383Jul 16, 2019risk 0.05cvss —epss 0.14
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.
- CVE-2019-13359Jul 16, 2019risk 0.04cvss —epss 0.26
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.
- CVE-2018-18322Oct 15, 2018risk 0.04cvss —epss 0.15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
- CVE-2020-15609Jul 28, 2020risk 0.03cvss —epss 0.08
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_stop…
- CVE-2019-13605Jul 16, 2019risk 0.03cvss —epss 0.15
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is…
- CVE-2019-11429May 13, 2019risk 0.03cvss —epss 0.06
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.
- CVE-2019-10893Apr 18, 2019risk 0.03cvss —epss 0.03
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save…
- CVE-2019-10261Apr 3, 2019risk 0.03cvss —epss 0.02
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
- CVE-2019-7646Mar 26, 2019risk 0.03cvss —epss 0.07
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter.
- CVE-2018-18774Nov 20, 2018risk 0.03cvss —epss 0.05
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
- CVE-2018-18772Nov 20, 2018risk 0.03cvss —epss 0.03
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
- CVE-2018-18773Nov 20, 2018risk 0.03cvss —epss 0.03
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
- CVE-2018-18324Oct 15, 2018risk 0.03cvss —epss 0.03
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter.