本ページは control-webpanel webpanel に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-48703 KEV | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | [email protected] | 9.0 | 67.40% | 2025-09-19 | 2025-11-05 |
| CVE-2023-42123 | Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific flaw exists within the mysql_manager module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute cod | [email protected] | 8.8 | 1.27% | 2024-05-03 | 2025-08-09 |
| CVE-2023-42122 | Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the cwpsrv process, which listens on the loopback interface. The issue results from the lack of proper validation of a user-supplied s | [email protected] | 7.8 | 0.17% | 2024-05-03 | 2025-08-09 |
| CVE-2023-42121 | Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of authentication within the web interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute | [email protected] | 9.8 | 1.17% | 2024-05-03 | 2025-08-09 |
| CVE-2023-42120 | Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific flaw exists within the dns_zone_editor module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute | [email protected] | 8.8 | 1.77% | 2024-05-03 | 2025-08-09 |
| CVE-2022-44877 KEV | login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | [email protected] | 9.8 | 94.46% | 2023-01-05 | 2025-11-03 |
| CVE-2021-45467 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter. | [email protected] | 9.8 | 88.13% | 2022-12-26 | 2025-04-12 |
| CVE-2021-45466 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | [email protected] | 9.8 | 4.21% | 2022-12-26 | 2025-04-14 |
| CVE-2022-25048 | Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. | [email protected] | 8.8 | 16.20% | 2022-07-07 | 2024-11-21 |
| CVE-2022-25047 | The password reset token in CWP v0.9.8.1126 is generated using known or predictable values. | [email protected] | 5.9 | 0.33% | 2022-07-07 | 2024-11-21 |
| CVE-2022-25046 | A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | [email protected] | 9.8 | 4.12% | 2022-07-07 | 2024-11-21 |
| CVE-2021-31324 | The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. | [email protected] | 9.8 | 82.74% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31316 | The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. | [email protected] | 9.8 | 59.35% | 2021-05-18 | 2024-11-21 |
| CVE-2020-15628 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CA | [email protected] | 7.5 | 0.57% | 2020-07-28 | 2024-11-21 |
| CVE-2020-15627 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the account parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI | [email protected] | 7.5 | 0.57% | 2020-07-28 | 2024-11-21 |
| CVE-2020-15626 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the term parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-973 | [email protected] | 7.5 | 0.57% | 2020-07-28 | 2024-11-21 |
| CVE-2020-15625 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_add_mailbox.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-C | [email protected] | 7.5 | 0.57% | 2020-07-28 | 2024-11-21 |
| CVE-2020-15624 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_new_account.php. When parsing the domain parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN | [email protected] | 7.5 | 0.57% | 2020-07-28 | 2024-11-21 |
| CVE-2020-15623 | This vulnerability allows remote attackers to write arbitrary files on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9722. | [email protected] | 9.8 | 2.08% | 2020-07-28 | 2024-11-21 |
| CVE-2020-15622 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the search parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI- | [email protected] | 7.5 | 0.57% | 2020-07-28 | 2024-11-21 |