Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.
AnalysisAI
aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.
Technical ContextAI
aaPanel is a Linux server management and operation panel written in Python that provides a web-based interface for system administration. The vulnerability stems from improper input validation in the file upload mechanism, classified under CWE categories related to unrestricted file uploads and code execution (typically CWE-434: Unrestricted Upload of File with Dangerous Type). The affected product version 7.57.0 fails to enforce adequate restrictions on uploaded file types, permissions, or execution contexts, allowing attackers to upload executable scripts or PHP/Python files that are subsequently executed by the web server or aaPanel daemon. The root cause involves inadequate server-side validation of file content and insufficient isolation of upload directories from executable paths.
RemediationAI
Immediately upgrade aaPanel to the latest patched version available from the official repository at https://github.com/aapanel/aapanel. Until patches are applied, implement the following interim controls: restrict network access to the aaPanel web interface using firewall rules to allow only trusted administrator IP addresses, disable the file upload functionality if not in active use, implement strict file type validation and execution prevention in the upload directory by setting appropriate filesystem permissions (remove execute bits), and monitor upload activity for suspicious file submissions. Consider deploying aaPanel behind a reverse proxy with request filtering rules that validate Content-Type headers and reject suspicious multipart form submissions.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12921