CyberPanel 2.1 contains an authenticated command execution flaw that allows attackers to read arbitrary files and run arbitrary shell commands by exploiting symlink attacks through the filemanager controller endpoint. Inadequate validation of the completeStartingPath parameter in POST requests to /filemanager/controller lets attackers create symbolic links that bypass normal path restrictions. By redirecting file operations, a malicious user can exfiltrate sensitive files such as database credentials and execute arbitrary commands via the /websites/fetchFolderDetails endpoint. This results in full compromise of the affected web server, giving the attacker read‑write access to all files and the ability to run code under the web server's user context.

The flaw affects all installations of CyberPanel version 2.1, as identified by the Cyberpanel:CyberPanel CNA. The product is the CyberPanel control panel software for Linux web servers. No specific patch level is listed, so any 2.1 release remains vulnerable until a patch is applied. The impact applies to all servers running this panel regardless of the underlying web server or database stack.

The CVSS score of 8.7 indicates a high‑severity remote code execution risk. EPSS is not reported, but the absence of an EPSS value does not diminish the vulnerability's seriousness. CyberPanel is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed publicly. Based on the description, the attack occurs remotely via the web interface and requires authenticated access to the panel, meaning an attacker must first obtain valid credentials or perform a credential‑guessing attack. Once authenticated, the attacker can submit crafted POST requests to /filemanager/controller to create arbitrary symbolic links and then trigger code execution via /websites/fetchFolderDetails. The exploit relies on the CVE's path‑traversal weakness (CWE‑59) and the ease of manipulating symbolic links, making the post‑authentication step a critical prerequisite.