EUVD-2026-30984CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.
AnalysisAI
Unauthenticated remote code execution in CtrlPanel billing software (versions 1.1.1 and prior) allows attackers to execute arbitrary OS commands via the web-based installer endpoint, even on already-installed instances. The flaw combines a control-flow bug (install.lock gate runs after handler execution) with command injection through unsanitized user input passed into shell commands. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
WITHIN 24 HOURS: Conduct inventory of all CtrlPanel deployments and identify which instances are internet-facing and running version 1.1.1 or earlier. WITHIN 7 DAYS: Implement emergency network controls-restrict all access to the installer endpoint or isolate the application from untrusted networks; deploy Web Application Firewall rules to block command injection patterns in installer parameters. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today