Skip to main content

Webpanel CVE-2025-48703

CRITICAL
OS Command Injection (CWE-78)
2025-09-19 cve@mitre.org
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 19:13 vuln.today
Added to CISA KEV
Nov 05, 2025 - 14:07 cisa
CISA KEV
PoC Detected
Nov 05, 2025 - 14:07 vuln.today
Public exploit code
CVE Published
Sep 19, 2025 - 18:15 nvd
CRITICAL 9.0

DescriptionCVE.org

CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

AnalysisAI

CentOS Web Panel (CWP) allows unauthenticated remote code execution through OS command injection in the filemanager changePerm request's t_total parameter.

Technical ContextAI

The CWE-78 command injection in the filemanager's changePerm CGI passes the t_total parameter to a shell command without sanitization, enabling arbitrary command execution.

RemediationAI

Update CWP. Restrict panel access. Audit hosted sites for compromise.

CVE-2022-25046 CRITICAL POC
9.8 Jul 07

A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted

CVE-2021-31324 CRITICAL POC
9.8 May 18

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root R

CVE-2021-31316 CRITICAL POC
9.8 May 18

The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST param

CVE-2020-10230 CRITICAL POC
9.8 Mar 16

CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/adm

CVE-2019-13360 CRITICAL POC
9.8 Jul 16

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login pro

CVE-2018-18322 CRITICAL POC
9.8 Oct 15

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/ind

CVE-2022-25048 HIGH POC
8.8 Jul 07

Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. Rated high

CVE-2019-13477 HIGH POC
8.8 Aug 21

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to

CVE-2019-13605 HIGH POC
8.8 Jul 16

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in

CVE-2018-18773 HIGH POC
8.8 Nov 20

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demo

CVE-2018-18772 HIGH POC
8.8 Nov 20

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as dem

CVE-2019-13359 HIGH POC
7.5 Jul 16

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and uploa

Share

CVE-2025-48703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy