CVE-2026-57517
Received Received - Intake

Blind SQL Injection in Control Web Panel

Vulnerability report for CVE-2026-57517, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linanto control_web_panel to 0.9.8.1225 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Control Web Panel versions before 0.9.8.1225 contain a blind SQL injection vulnerability in the userRes POST parameter at the user endpoint.

This vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input.

Attackers can gain MySQL root privileges through this injection, which enables them to write arbitrary files using MySQL's INTO DUMPFILE feature.

By writing a malicious PHP webshell to the web-accessible roundcube logs directory, attackers can achieve remote code execution with the privileges of the cwpsvc account.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the affected system.

Attackers can execute arbitrary SQL commands with MySQL root privileges, potentially compromising the entire database and system.

They can deploy a PHP webshell in a web-accessible directory, allowing persistent access and control over the server as the cwpsvc user.

This can lead to data theft, system manipulation, service disruption, and further attacks originating from the compromised server.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized SQL queries targeting the userRes POST parameter at the user endpoint. Specifically, look for SQL injection attempts that try to exploit the unsanitized input to execute arbitrary SQL commands.

Network detection can involve inspecting HTTP POST requests to the user endpoint for suspicious payloads containing SQL syntax or attempts to use MySQL's INTO DUMPFILE command.

On the system, detection can include checking for unexpected PHP files in the web-accessible roundcube logs directory (/usr/local/cwpsrv/var/services/roundcube/logs/), which may indicate a deployed webshell.

  • Use web server access logs to search for POST requests to the user endpoint with suspicious parameters, e.g., using grep:
  • grep 'POST /user' /var/log/httpd/access_log | grep 'userRes'
  • Inspect the roundcube logs directory for unexpected PHP files:
  • ls -la /usr/local/cwpsrv/var/services/roundcube/logs/ | grep ".php"
  • Use MySQL query logs or monitoring tools to detect suspicious queries involving INTO DUMPFILE or other file-writing commands.
Mitigation Strategies

The primary and immediate mitigation step is to upgrade Control Web Panel to version 0.9.8.1225 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the vulnerable user endpoint by implementing firewall rules or web application firewall (WAF) rules to block suspicious POST requests targeting the userRes parameter.

Additionally, monitor the system for signs of compromise, such as unexpected PHP files in the roundcube logs directory, and remove any malicious files found.

Review and harden MySQL permissions to limit the ability of the database user to write files using INTO DUMPFILE.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries and achieve remote code execution on the affected system. This can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive data.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Organizations using vulnerable versions of Control Web Panel may face increased risk of non-compliance due to the possibility of data exposure or system compromise resulting from this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart