Description
mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.
Published: 2026-05-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mdserver-web exposes a critical lack of authentication on the /modify_crond and /start_task endpoints. Based on the description, it is inferred that an attacker who can reach these URLs can modify built‑in scheduled tasks and execute them, allowing arbitrary operating system commands to run with the web service's privileges. This leads to full remote code execution, compromising confidentiality, integrity, and availability of the affected system. The weakness aligns with CWE‑78 for OS command injection and CWE‑862 for missing authorization.

Affected Systems

The vulnerability affects midoks mdserver-web versions 0.18.0 through 0.18.4. These versions are deployed as a Linux control panel and are vulnerable to exploitation unless updated to a later release that implements proper authentication on the affected endpoints.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high severity. No EPSS score is reported, but based on the lack of authentication and the presence of a direct web‑based command injection, it is inferred that the vulnerability is likely to be exploited, especially if the control panel is exposed to untrusted networks. The issue is not listed in CISA's KEV catalog, but the potential impact and the availability of an unauthenticated RCE path warrant immediate attention.

Generated by OpenCVE AI on May 14, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mdserver-web to a version released after 0.18.4 that addresses the missing authentication on /modify_crond and /start_task.
  • Configure the web server or firewall to restrict access to these endpoints so that only authenticated or IP‑restricted traffic can reach them.
  • If an upgrade cannot be performed immediately, isolate the mdserver‑web instance from external networks or disable the cron modification feature in the configuration to block unauthenticated manipulation of scheduled tasks.

Generated by OpenCVE AI on May 14, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.
Title mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Weaknesses CWE-78
CWE-862
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:31:09.710Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41315

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T19:16:35.127

Modified: 2026-05-15T14:55:44.507

Link: CVE-2026-41315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:00:13Z

Weaknesses