CVE-2026-57517 PUBLISHED

Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter

Assigner: VulnCheck
Reserved: 24.06.2026 Published: 01.07.2026 Updated: 01.07.2026

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Control Web Panel
Product Control Web Panel
Versions Default: affected
  • affected from 0 to 0.9.8.1225 (excl.)

Credits

  • Egidio Romano finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE