Description
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.
Published: 2026-03-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

An arbitrary file upload flaw in aaPanel 7.57.0 permits an attacker to upload a crafted file that the server will execute, leading to remote code execution. This vulnerability is classified as a file upload flaw (CWE‑434) and may allow cross‑site scripting (CWE‑79), but the primary consequence is execution of arbitrary code with the privileges of the web server.

Affected Systems

aaPanel 7.57.0 is affected. No other versions or vendors are listed.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. EPSS is below 1 %, and the issue is not in the CISA KEV list, so the likelihood of widespread exploitation is currently low. However, the attack vector is inferred to be via the web interface that accepts file uploads, and successful exploitation would require the ability to upload to the target, potentially needing authenticated access or lack of proper validation.

Generated by OpenCVE AI on March 23, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aaPanel to a version that includes the fix
  • If an upgrade is not immediately possible, restrict file uploads only to trusted administrators and disable execution of uploaded files
  • Ensure the upload directory is not web‑executable and does not allow execution of binaries
  • Monitor logs for anomalous file upload activity
  • Check the vendor’s website or contact the vendor for additional guidance

Generated by OpenCVE AI on March 23, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title aaPanel Arbitrary File Upload Leading to Remote Code Execution

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
CWE-79

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aapanel:aapanel:7.57.0:*:*:*:*:*:*:*

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Aapanel
Aapanel aapanel
Vendors & Products Aapanel
Aapanel aapanel

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.
References

Subscriptions

Aapanel Aapanel
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T15:16:36.471Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29859

cve-icon Vulnrichment

Updated: 2026-03-19T14:38:14.901Z

cve-icon NVD

Status : Modified

Published: 2026-03-18T18:16:27.347

Modified: 2026-03-23T16:16:45.193

Link: CVE-2026-29859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:57Z

Weaknesses