Security researchers publicly disclosed a critical vulnerability in Control Web Panel alongside proof-of-concept exploit code. This flaw, identified as CVE-2026-57517, carries a maximum CVSS score of 9.8.
- CVE: CVE-2026-57517
- CVSS: 9.8 (Critical · CVSSv3)
- Product: Control Web Panel
- Affected: < 0.9.8.1225
- Impact: Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter
- Status: No confirmed exploitation yet
- Patched in: 0.9.8.1225
- EPSS: 0.6% (30-day)
- Action: Update to 0.9.8.1225 now
TL;DR
A severe vulnerability exists in Control Web Panel. This Control Web Panel SQLi flaw allows remote code execution. A public proof-of-concept exploit is now available online. Administrators must patch their servers immediately to prevent attacks.
Why It Matters
Control Web Panel manages thousands of web hosting environments globally. CVE-2026-57517 threatens these servers with complete compromise. Attackers do not need prior authentication to exploit this bug. Furthermore, the public release of the proof-of-concept code increases the immediate danger. Threat actors often weaponize public exploits quickly to target unpatched systems. Therefore, server administrators face an urgent risk of data breaches and server hijacking. Protecting these hosting environments requires swift administrative action.
How the Attack Works
The vulnerability originates at the user endpoint. Specifically, the system fails to sanitize input within the “userRes” POST parameter. This failure permits unauthenticated attackers to execute arbitrary SQL queries. According to the advisory, “successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries with the privileges of the MySQL root user.” This account possesses global file modification capabilities. Attackers write arbitrary files to the filesystem using the INTO DUMPFILE command. They typically deploy a PHP webshell into the web-accessible Roundcube logs directory. Consequently, they achieve remote code execution as the cwpsvc account. They can then control the server remotely.
Affected Versions
This blind SQL injection flaw impacts older installations of the software. Control Web Panel versions prior to 0.9.8.1225 contain the vulnerability. Currently, researchers have published a public proof-of-concept exploit code. You can view the exploit details in the Karma In Security report. However, experts have not confirmed active exploitation in the wild yet.
Patch and Mitigation Steps
Administrators must update their systems right away. Upgrade to Control Web Panel version 0.9.8.1225 or newer. Additionally, audit your server logs for unexpected files in the Roundcube directory. Restrict access to the administrative panel using firewall rules where possible. Network segmentation can also help isolate critical database services.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.