CVE-2013-10053 HIGH

CVE-2013-10053: ZPanel <= 10.0.0.2 htpasswd Module Username Command Execution

Vendor Zpanel Project

Product ZPanel

Weakness CWE-78

Published August 1, 2025

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

Key dates

02Disclosure timeline

August 1, 2025 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2013-10053

Related vulnerabilities

CVE-2013-10053: ZPanel <= 10.0.0.2 htpasswd Module Username Command Execution

01Description

02Disclosure timeline

03References

04Related CVE