CVE-2026-34216
Authenticated Remote Code Execution in CtrlPanel Billing Software
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ctrlpanel | ctrlpanel | to 1.2.0 (exc) |
| ctrlpanel | ctrlpanel | 1.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated admin-level user to execute arbitrary code remotely by supplying a crafted class name, potentially leading to unauthorized access, data manipulation, or system compromise.
Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability exists in CtrlPanel, an open-source billing software for hosting providers, in versions 1.1.1 and earlier. The admin settings update endpoint accepts a fully qualified class name directly from user input without validating it against an allowlist. This allows an authenticated admin user to supply any class name available in the Composer autoloader, which the system then uses to instantiate objects or call static methods dynamically.
Because PHP resolves class names at runtime via the Composer autoloader, this can lead to unintended execution of constructors or magic methods (__construct, __toString, __wakeup) of arbitrary classes. This behavior can be exploited to perform authenticated Remote Code Execution (RCE) through PHP object injection or gadget chains.
The issue was fixed in version 1.2.0 by adding proper validation to ensure only legitimate settings classes are instantiated.
How can this vulnerability impact me? :
If you are using CtrlPanel version 1.1.1 or earlier, an authenticated admin user could exploit this vulnerability to execute arbitrary code on the server. This could lead to full system compromise, unauthorized data access, data modification, or service disruption.
Because the vulnerability requires admin-level authentication, the risk is limited to users with such privileges, but the impact remains severe due to the potential for remote code execution.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade CtrlPanel to version 1.2.0 or later, where the issue has been fixed.
This update ensures that the admin settings update endpoint no longer accepts arbitrary class names without validation, preventing authenticated Remote Code Execution.