CVE-2026-57517

Published Jul 1, 2026

Last updated 4 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-57517 describes a blind SQL injection vulnerability found in Control Web Panel (CWP) versions prior to 0.9.8.1225. This flaw allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the `userRes` POST parameter at the `user` endpoint. Exploiting this vulnerability, attackers can leverage the MySQL root privileges used by CWP to write arbitrary files, such as PHP webshells, to the web-accessible `roundcube logs` directory using the `INTO DUMPFILE` function. This ultimately leads to remote code execution as the `cwpsvc` account, requiring no prior authentication or user interaction.

Description
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.
Source
disclosure@vulncheck.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

disclosure@vulncheck.com
CWE-89

Social media

Hype score
Not currently trending