CVE-2026-34234
Deferred Deferred - Pending Action
Unauthenticated Remote Code Execution in CtrlPanel Billing Software

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-34234
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ctrlpanel ctrlpanel to 1.2.0 (exc)
ctrlpanel ctrlpanel 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in CtrlPanel, an open-source billing software for hosting providers, specifically in versions 1.1.1 and earlier. The web-based installer is vulnerable to unauthenticated Remote Code Execution (RCE) because it executes form handler files before checking if the software is already installed (via the install.lock file). This means that installer endpoints remain accessible even after installation.

The form handlers take user input and directly insert it into shell commands without sanitization, allowing an attacker to craft requests that execute arbitrary commands on the server. The root causes are the premature execution of form handlers before the lock file check and unsafe handling of user input in shell commands.

This vulnerability has been actively exploited in the wild and was fixed in version 1.2.0.

Impact Analysis

This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the server running CtrlPanel. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of files, disruption of services, and potentially using the server as a foothold to attack other systems.

Because the vulnerability has a CVSS base score of 10.0, it represents a critical risk with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

The vulnerability has been fixed in CtrlPanel version 1.2.0. The immediate step to mitigate this vulnerability is to upgrade your CtrlPanel installation to version 1.2.0 or later.

Since the issue involves the installer endpoints being reachable on already-installed instances, as a temporary mitigation, you should ensure that the installer directory (public/installer/) is not accessible on production systems, for example by removing or restricting access to it.

Compliance Impact

This vulnerability allows unauthenticated remote code execution on the affected CtrlPanel software, potentially leading to unauthorized access and control over the server.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity.

Because the vulnerability allows attackers to execute arbitrary commands, it could lead to exposure or manipulation of protected data, thereby violating confidentiality, integrity, and availability requirements mandated by these regulations.

Detection Guidance

Detection of this vulnerability involves checking if the vulnerable installer endpoint is accessible on an already-installed instance and if it allows execution of arbitrary commands via crafted requests.

One approach is to attempt accessing the installer URL path /public/installer/index.php on the target system to see if it is reachable.

You can use curl or wget commands to test the accessibility of the installer endpoint, for example:

  • curl -i http://target-server/public/installer/index.php
  • wget --spider http://target-server/public/installer/index.php

If the installer page is accessible despite the application being installed, it indicates the presence of the vulnerability.

Further, crafted requests that include shell commands in parameters sent to the installer form handlers could be tested in a controlled environment to confirm RCE vulnerability.

Monitoring network traffic for unusual requests targeting /public/installer/index.php or suspicious shell command patterns may also help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart