Skip to main content

mdserver-web CVE-2026-41315

| EUVDEUVD-2026-30362 CRITICAL
OS Command Injection (CWE-78)
2026-05-14 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 14, 2026 - 19:30 vuln.today
CVSS changed
May 14, 2026 - 19:22 NVD
9.3 (CRITICAL)
CVE Published
May 14, 2026 - 18:31 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.

AnalysisAI

Remote code execution in mdserver-web Linux panel versions 0.18.0 through 0.18.4 allows unauthenticated remote attackers to execute arbitrary system commands by exploiting unprotected scheduled task management endpoints. Attackers can modify built-in cron jobs via the /modify_crond interface and trigger execution through /start_task without any authentication, achieving complete system compromise. No public exploit code or active exploitation confirmed at time of analysis, though the attack complexity is rated low with network-based access vector.

Technical ContextAI

mdserver-web is a lightweight Linux server management panel providing web-based administration capabilities including scheduled task management through cron jobs. The vulnerability stems from missing authentication controls (CWE-78: OS Command Injection) on two critical API endpoints responsible for modifying and executing scheduled tasks. The CVSS 4.0 vector indicates network accessibility (AV:N), low attack complexity (AC:L), no attack requirements (AT:N), and no required privileges (PR:N) or user interaction (UI:N). The affected component allows direct manipulation of system cron configuration and immediate task execution, bypassing the intended administrative access controls that should protect these privileged operations.

RemediationAI

Upgrade mdserver-web to version 0.18.5 or later, which addresses the authentication bypass on scheduled task management endpoints according to the GitHub Security Advisory GHSA-3h92-g9hr-xc25. If immediate patching is not feasible, implement network-level access controls: restrict access to the web panel interface (typically TCP port 7200) to trusted IP addresses via firewall rules or reverse proxy authentication, blocking external internet access entirely. Alternatively, place the panel behind a VPN or bastion host requiring authentication before reaching the vulnerable endpoints. Monitor system cron jobs for unauthorized modifications through log analysis of /var/log/cron and /etc/crontab changes. These mitigations reduce attack surface but do not eliminate risk from insider threats or lateral movement scenarios - prioritize upgrading to patched version.

Share

CVE-2026-41315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy