CVE-2026-57517 CRITICAL

CVE-2026-57517: Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter

Vendor Control Web Panel
Product Control Web Panel
Weakness CWE-89 · SQLi
Published July 1, 2026
Last update July 2, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.

Key dates

02Disclosure timeline

July 1, 2026 CVE published
July 2, 2026 Record updated