Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.
AnalysisAI
Remote code execution in mdserver-web Linux panel versions 0.18.0 through 0.18.4 allows unauthenticated remote attackers to execute arbitrary system commands by exploiting unprotected scheduled task management endpoints. Attackers can modify built-in cron jobs via the /modify_crond interface and trigger execution through /start_task without any authentication, achieving complete system compromise. No public exploit code or active exploitation confirmed at time of analysis, though the attack complexity is rated low with network-based access vector.
Technical ContextAI
mdserver-web is a lightweight Linux server management panel providing web-based administration capabilities including scheduled task management through cron jobs. The vulnerability stems from missing authentication controls (CWE-78: OS Command Injection) on two critical API endpoints responsible for modifying and executing scheduled tasks. The CVSS 4.0 vector indicates network accessibility (AV:N), low attack complexity (AC:L), no attack requirements (AT:N), and no required privileges (PR:N) or user interaction (UI:N). The affected component allows direct manipulation of system cron configuration and immediate task execution, bypassing the intended administrative access controls that should protect these privileged operations.
RemediationAI
Upgrade mdserver-web to version 0.18.5 or later, which addresses the authentication bypass on scheduled task management endpoints according to the GitHub Security Advisory GHSA-3h92-g9hr-xc25. If immediate patching is not feasible, implement network-level access controls: restrict access to the web panel interface (typically TCP port 7200) to trusted IP addresses via firewall rules or reverse proxy authentication, blocking external internet access entirely. Alternatively, place the panel behind a VPN or bastion host requiring authentication before reaching the vulnerable endpoints. Monitor system cron jobs for unauthorized modifications through log analysis of /var/log/cron and /etc/crontab changes. These mitigations reduce attack surface but do not eliminate risk from insider threats or lateral movement scenarios - prioritize upgrading to patched version.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30362