Description
A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.
Published: 2026-03-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to information disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in aaPanel version 7.57.0 due to insufficient path validation. This flaw allows an attacker to execute a local file inclusion (LFI), which can expose sensitive information stored on the server. The weakness maps to CWE‑98, indicating a failure to restrict file inclusion to trusted paths. Files outside the intended directory could be read or executed, compromising data confidentiality and potentially enabling further exploitation.

Affected Systems

Only aaPanel 7.57.0 is affected. No other versions or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity, while an EPSS score of less than 1% suggests low current exploitation probability. This vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack vector involves invoking the web interface of aaPanel; the lack of path validation is likely exploitable remotely by anyone who can send crafted requests to the affected endpoint. Attackers could read arbitrary local files, leading to confidentiality loss or execution of arbitrary code if files are executed.

Generated by OpenCVE AI on March 19, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the aaPanel vendor website or repository for an updated version that addresses the LFI flaw
  • If a patch is not yet available, restrict external access to the aaPanel web interface via firewall rules

Generated by OpenCVE AI on March 19, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Local File Inclusion via Path Validation in aaPanel v7.57.0

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aapanel:aapanel:7.57.0:*:*:*:*:*:*:*

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-98
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Aapanel
Aapanel aapanel
Vendors & Products Aapanel
Aapanel aapanel

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.
References

Subscriptions

Aapanel Aapanel
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:24:44.583Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29858

cve-icon Vulnrichment

Updated: 2026-03-19T14:24:34.498Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:27.230

Modified: 2026-03-19T19:23:51.937

Link: CVE-2026-29858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:05Z

Weaknesses