Description
An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.
Published: 2026-03-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (ReDoS)
Action: Immediate Patch
AI Analysis

Impact

An issue in aaPanel version 7.57.0’s VirtualHost configuration handling/parser component allows an attacker to trigger a Regular Expression Denial of Service (ReDoS) by submitting crafted input. The flaw leads to uncontrolled resource consumption during regex processing, resulting in excessive CPU usage or memory usage that can degrade service performance or cause a complete outage. The vulnerability is identified as CWE‑400 (Uncontrolled Resource Consumption).

Affected Systems

The affected product is aaPanel version 7.57.0, as identified by the CPE entry cpe:2.3:a:aapanel:aapanel:7.57.0.*.*.*.*.*

Risk and Exploitability

The CVSS score of 7.5 places this vulnerability in the high severity range, indicating a significant impact if successfully exploited. EPSS indicates a very low overall exploitation probability (< 1 %), and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is remote, requiring an attacker to influence the virtual host configuration processing through malicious web requests handled by aaPanel, which would lead to application slowdown or denial of service for legitimate users.

Generated by OpenCVE AI on March 19, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official aaPanel patch that fixes the ReDoS issue as soon as it is available.
  • If a patch is not yet released, implement a timeout or limit input size for regex processing within the virtual host configuration parser.
  • Enable monitoring of system logs for abnormal regex processing spikes and apply rate‑limiting or temporary blocking of suspicious traffic to reduce impact.

Generated by OpenCVE AI on March 19, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aapanel:aapanel:7.57.0:*:*:*:*:*:*:*

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Aapanel
Aapanel aapanel
Vendors & Products Aapanel
Aapanel aapanel

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.
References

Subscriptions

Aapanel Aapanel
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:19:23.842Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29856

cve-icon Vulnrichment

Updated: 2026-03-19T14:19:19.316Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:27.110

Modified: 2026-03-19T19:23:57.653

Link: CVE-2026-29856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:06Z

Weaknesses