Aggregates CVE and security vulnerability intelligence across all aapanel-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling and vendor risk file inclusion and related problems; some flaws may lead to vendor impact file overwrite, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-29859 | An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file. | [email protected] | 9.8 | 0.07% | 2026-03-18 | 2026-03-23 |
| CVE-2026-29858 | A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure. | [email protected] | 7.5 | 0.06% | 2026-03-18 | 2026-03-19 |
| CVE-2026-29856 | An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input. | [email protected] | 7.5 | 0.05% | 2026-03-18 | 2026-03-19 |
| CVE-2024-42922 | AAPanel v7.0.7 was discovered to contain an OS command injection vulnerability. | [email protected] | 6.5 | 6.88% | 2025-05-21 | 2025-06-25 |
| CVE-2022-26252 | aaPanel v6.8.21 was discovered to be vulnerable to directory traversal. This vulnerability allows attackers to obtain the root user private SSH key(id_rsa). | [email protected] | 6.5 | 2.58% | 2022-03-27 | 2024-11-21 |
| CVE-2021-37840 | aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential victim (e.g., exploitation can occur with Firefox but not Chrome). | [email protected] | 8.8 | 0.40% | 2021-08-02 | 2024-11-21 |
| CVE-2020-14950 | aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a modified /system?action=ServiceAdmin request (start, stop, or restart) to the setting menu of Sotfware Store. | [email protected] | 8.8 | 2.68% | 2020-06-21 | 2024-11-21 |
| CVE-2020-14421 | aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen. | [email protected] | 7.2 | 9.45% | 2020-06-18 | 2024-11-21 |