Control By Web
Products
7- 10 CVEs
- 4 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-67888 | Hig | 0.54 | 7.3 | 0.01 | May 8, 2026 | An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated… | ||
| CVE-2022-44877 | 0.23 | — | 1.00 | KEV | Jan 5, 2023 | login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | ||
| CVE-2025-48703 | 0.18 | — | 1.00 | KEV | Sep 19, 2025 | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | ||
| CVE-2021-45467 | 0.07 | — | 0.71 | Dec 26, 2022 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi… | |||
| CVE-2019-18418 | 0.04 | — | 0.04 | Oct 24, 2019 | clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. | |||
| CVE-2018-18772 | 0.03 | — | 0.03 | Nov 20, 2018 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command. | |||
| CVE-2022-25048 | 0.01 | — | 0.18 | Jul 7, 2022 | Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. | |||
| CVE-2023-42123 | 0.00 | — | 0.02 | May 3, 2024 | Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific… | |||
| CVE-2023-42122 | 0.00 | — | 0.01 | May 3, 2024 | Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the… | |||
| CVE-2023-42121 | 0.00 | — | 0.01 | May 3, 2024 | Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw… | |||
| CVE-2023-42120 | 0.00 | — | 0.02 | May 3, 2024 | Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific… | |||
| CVE-2023-23553 | 0.00 | — | 0.00 | Feb 13, 2023 | Control By Web X-400 devices are vulnerable to a cross-site scripting attack, which could result in private and session information being transferred to the attacker. | |||
| CVE-2023-23551 | 0.00 | — | 0.01 | Feb 13, 2023 | Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code. | |||
| CVE-2022-25046 | 0.00 | — | 0.45 | Jul 7, 2022 | A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | |||
| CVE-2019-18419 | 0.00 | — | 0.01 | Oct 24, 2019 | A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | |||
| CVE-2019-15571 | 0.00 | — | 0.01 | Aug 26, 2019 | The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php. |
- risk 0.54cvss 7.3epss 0.01
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated…
- risk 0.23cvss —epss 1.00
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
- risk 0.18cvss —epss 1.00
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
- CVE-2021-45467Dec 26, 2022risk 0.07cvss —epss 0.71
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi…
- CVE-2019-18418Oct 24, 2019risk 0.04cvss —epss 0.04
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
- CVE-2018-18772Nov 20, 2018risk 0.03cvss —epss 0.03
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
- CVE-2022-25048Jul 7, 2022risk 0.01cvss —epss 0.18
Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user.
- CVE-2023-42123May 3, 2024risk 0.00cvss —epss 0.02
Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…
- CVE-2023-42122May 3, 2024risk 0.00cvss —epss 0.01
Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the…
- CVE-2023-42121May 3, 2024risk 0.00cvss —epss 0.01
Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw…
- CVE-2023-42120May 3, 2024risk 0.00cvss —epss 0.02
Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…
- CVE-2023-23553Feb 13, 2023risk 0.00cvss —epss 0.00
Control By Web X-400 devices are vulnerable to a cross-site scripting attack, which could result in private and session information being transferred to the attacker.
- CVE-2023-23551Feb 13, 2023risk 0.00cvss —epss 0.01
Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code.
- CVE-2022-25046Jul 7, 2022risk 0.00cvss —epss 0.45
A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.
- CVE-2019-18419Oct 24, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
- CVE-2019-15571Aug 26, 2019risk 0.00cvss —epss 0.01
The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.