Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0.
Published: 2026-05-19
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CtrlPanel, an open‑source billing system, contains an authenticated Remote Code Execution flaw. The admin settings update endpoint accepts a fully qualified class name directly from the request payload and uses it for dynamic static method calls and object instantiation without any allowlist validation. This corresponds to CWE‑470, allowing an authenticated administrator to name any autoloadable class in the application or its dependencies. By selecting a class whose constructor or magic methods have side effects, an attacker can trigger arbitrary code execution, potentially compromising the entire hosting environment.

Affected Systems

The vulnerability affects CtrlPanel‑gg:panel, specifically all releases up to and including version 1.1.1. The flaw was mitigated in the 1.2.0 release, which removes the unvalidated dynamic class loading from the settings update flow.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity, and the issue is not listed in CISA KEV. EPSS data is not available, so the exploitation likelihood cannot be quantified. Nonetheless, because the flaw requires authenticated admin access and a valid HTTP request to the update endpoint, the attack surface is limited to administrators with network connectivity to the panel. If exploited, an attacker can execute arbitrary PHP code, leading to full system compromise. No public exploit has been documented, but the absence of a mitigation in earlier releases means any deployed instance is vulnerable until patched.

Generated by OpenCVE AI on May 19, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CtrlPanel to version 1.2.0 or later, which removes the vulnerable dynamic class loading logic.
  • Remove or isolate any custom or deprecated PHP classes that could be autoloaded to minimize the attack surface before applying the patch.
  • Ensure only authorized, high‑privilege accounts have administrative access to the panel, as the vulnerability requires admin authentication.

Generated by OpenCVE AI on May 19, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctrlpanel-gg
Ctrlpanel-gg panel
Vendors & Products Ctrlpanel-gg
Ctrlpanel-gg panel

Tue, 19 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0.
Title CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php
Weaknesses CWE-470
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ctrlpanel-gg Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T13:06:25.535Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34216

cve-icon Vulnrichment

Updated: 2026-05-20T13:06:17.177Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T21:16:42.570

Modified: 2026-05-20T14:06:33.993

Link: CVE-2026-34216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:02Z

Weaknesses