Skip to main content

CVE-2026-29859

| EUVDEUVD-2026-12921 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 18:00 euvd
EUVD-2026-12921
Analysis Generated
Mar 18, 2026 - 18:00 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.

AnalysisAI

aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.

Technical ContextAI

aaPanel is a Linux server management and operation panel written in Python that provides a web-based interface for system administration. The vulnerability stems from improper input validation in the file upload mechanism, classified under CWE categories related to unrestricted file uploads and code execution (typically CWE-434: Unrestricted Upload of File with Dangerous Type). The affected product version 7.57.0 fails to enforce adequate restrictions on uploaded file types, permissions, or execution contexts, allowing attackers to upload executable scripts or PHP/Python files that are subsequently executed by the web server or aaPanel daemon. The root cause involves inadequate server-side validation of file content and insufficient isolation of upload directories from executable paths.

RemediationAI

Immediately upgrade aaPanel to the latest patched version available from the official repository at https://github.com/aapanel/aapanel. Until patches are applied, implement the following interim controls: restrict network access to the aaPanel web interface using firewall rules to allow only trusted administrator IP addresses, disable the file upload functionality if not in active use, implement strict file type validation and execution prevention in the upload directory by setting appropriate filesystem permissions (remove execute bits), and monitor upload activity for suspicious file submissions. Consider deploying aaPanel behind a reverse proxy with request filtering rules that validate Content-Type headers and reject suspicious multipart form submissions.

Share

CVE-2026-29859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy