From: Egidio Romano <n0b0d13s () gmail com>
Date: Wed, 1 Jul 2026 11:49:52 +0200
---------------------------------------------------------------------
Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
---------------------------------------------------------------------
[-] Software Link:
https://control-webpanel.com
[-] Affected Versions:
Version 0.9.8.1224 and prior versions.
[-] Vulnerability Description:
User input passed through the "userRes" POST parameter to
https://[CWP_Host]:2083/[CWP_Username]/
is not properly sanitized before being used to construct an SQL query. This
can be exploited by remote, unauthenticated attackers to carry out (blind)
SQL Injection attacks.
Successful exploitation of this vulnerability requires the attacker to know
or correctly guess the username of a valid non-root account on the affected
CWP instance.
NOTE: successful exploitation allows an unauthenticated attacker to execute
arbitrary SQL queries with the privileges of the MySQL root user. Because
this account possesses the global FILE privilege, the vulnerability can be
leveraged to write arbitrary files to writable locations on the underlying
filesystem using MySQL's file output capabilities (e.g., INTO DUMPFILE). By
writing a malicious PHP payload to the web-accessible
/usr/local/cwpsrv/var/services/roundcube/logs/ directory, an attacker might
be able to execute arbitrary PHP code remotely, resulting in full Remote
Code Execution (RCE) on the affected CWP instance with the privileges of
the 'cwpsvc' account.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-57517.php
[-] Solution:
Upgrade to version 0.9.8.1225 or later.
[-] Disclosure Timeline:
[XX/YY/2025] - Vulnerability discovered
[06/05/2026] - Version 0.9.8.1225 released, issue fixed by the vendor
[26/06/2026] - CVE identifier requested
[26/06/2026] - CVE identifier assigned
[01/07/2026] - Public disclosure
[-] CVE Reference:
CVE-2026-57517 has been assigned to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-12
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [KIS-2026-12] Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability Egidio Romano (Jul 02)