Back to KEVs

CVE-2026-34234

CtrlPanel: Unauthenticated RCE using installer script

Basic Information

CVE State
PUBLISHED
Reserved Date
March 26, 2026
Published Date
May 19, 2026
Last Updated
May 20, 2026
Vendor
Ctrlpanel-gg
Product
panel
Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 13:29:18 UTC) Source

References

https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-jmhr-q9q5-fqwh https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 13:29:18 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel