VYPR
Vendor

Control By Web

Products
7
CVEs
16
Across products
19
Status
Private

Products

7

Recent CVEs

16
  • CVE-2025-67888HigMay 8, 2026
    risk 0.54cvss 7.3epss 0.01

    An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated…

  • CVE-2022-44877KEVJan 5, 2023
    risk 0.23cvss epss 1.00

    login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

  • CVE-2025-48703KEVSep 19, 2025
    risk 0.18cvss epss 1.00

    CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

  • CVE-2021-45467Dec 26, 2022
    risk 0.07cvss epss 0.71

    In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi…

  • CVE-2019-18418Oct 24, 2019
    risk 0.04cvss epss 0.04

    clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.

  • CVE-2018-18772Nov 20, 2018
    risk 0.03cvss epss 0.03

    CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.

  • CVE-2022-25048Jul 7, 2022
    risk 0.01cvss epss 0.18

    Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user.

  • CVE-2023-42123May 3, 2024
    risk 0.00cvss epss 0.02

    Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2023-42122May 3, 2024
    risk 0.00cvss epss 0.01

    Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the…

  • CVE-2023-42121May 3, 2024
    risk 0.00cvss epss 0.01

    Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw…

  • CVE-2023-42120May 3, 2024
    risk 0.00cvss epss 0.02

    Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2023-23553Feb 13, 2023
    risk 0.00cvss epss 0.00

    Control By Web X-400 devices are vulnerable to a cross-site scripting attack, which could result in private and session information being transferred to the attacker.

  • CVE-2023-23551Feb 13, 2023
    risk 0.00cvss epss 0.01

    Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code.

  • CVE-2022-25046Jul 7, 2022
    risk 0.00cvss epss 0.45

    A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.

  • CVE-2019-18419Oct 24, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

  • CVE-2019-15571Aug 26, 2019
    risk 0.00cvss epss 0.01

    The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.