CVE-2024-51568NVD

Vulnerability Summary

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.

Severity Level

CRITICAL(10.0)

Published Date

Oct 29, 2024

Last Modified

Jul 7, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://cwe.mitre.org/data/definitions/78.html
https://cyberpanel.net/KnowledgeBase/home/change-logs/
https://cyberpanel.net/blog/cyberpanel-v2-3-5
https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce

Critical Alert

CVE Watchtower

CVE-2024-51568NVD

Vulnerability Summary

External References