Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.
Published: 2026-05-19
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to execute arbitrary shell commands via the web‑based installer. The flaw arises because the installer checks for an install lock only after including form handlers, and unsanitized user input is directly inserted into shell commands. As a result, an attacker can run any command on the host, compromising confidentiality, integrity, and availability of the server. The weakness corresponds to improper authorization and unsafe command execution (CWE-284 and CWE-78).

Affected Systems

Ctrlpanel‑gg panel versions 1.1.1 and earlier are affected. The issue is resolved in v1.2.0. The software is an open‑source billing solution for hosting providers.

Risk and Exploitability

The vulnerability has a CVSS score of 10, indicating critical severity. No EPSS data is available, but the advisory states that it is actively exploited in the wild. The attacker does not need authentication and can reach the vulnerable endpoint through normal web requests. Since the vulnerability is excluded from CISA KEV, it has not yet been catalogued there, but its high impact and active exploitation warrant immediate attention.

Generated by OpenCVE AI on May 19, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ctrlpanel installation to version 1.2.0 or later where the installer is disabled and input sanitization added.
  • If an upgrade is delayed, immediately disable or delete the public/installer directory to block access to the vulnerable scripts.
  • Restrict network access to the installer URL using a firewall or HTTP authentication so that only trusted IPs or users can reach it.
  • Verify that the install.lock file is present and that the installer endpoint returns a 404 or similar on subsequent access.

Generated by OpenCVE AI on May 19, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctrlpanel-gg
Ctrlpanel-gg panel
Vendors & Products Ctrlpanel-gg
Ctrlpanel-gg panel

Tue, 19 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.
Title CtrlPanel: Unauthenticated RCE using installer script
Weaknesses CWE-284
CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ctrlpanel-gg Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T15:45:56.882Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34234

cve-icon Vulnrichment

Updated: 2026-05-20T14:36:33.190Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T22:16:37.123

Modified: 2026-05-20T17:16:21.257

Link: CVE-2026-34234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:59Z

Weaknesses