CVE-2026-57517: Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 0.9.8.1225
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Blind SQL injection in Control Web Panel before version 0.9.8.1225 allows an unauthenticated remote attacker to submit malicious input through the userRes POST parameter at the user endpoint, bypassing all authentication entirely. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation gives the attacker full read and write access to the underlying MySQL database (running as root), the ability to drop a PHP webshell into the web-accessible roundcube logs directory, and remote code execution as the cwpsvc service account. A patched-image rebuild at version 0.9.8.1225 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-57517 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Control Web Panel. No manual configuration is required for the match to run.
AvailableHarborGuard surfaces this CVE with its CVSS v4.0 score of 9.3 (Critical) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage alerts are routed to the inbox or ticket queue configured by each customer's policy, so the right team sees the finding without manual sorting.
AvailableA patched-image rebuild at Control Web Panel version 0.9.8.1225 becomes available on HarborGuard the moment the fix version is indexed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP POST requests to the target host to exploit this vulnerability.
- AuthenticationNot required
No credentials of any kind are needed; the injection point in the userRes parameter is reachable by any unauthenticated request.
- Victim interactionNot required
Exploitation is fully automated and requires no action from any user or administrator on the target system.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or special environmental factors required.
Blast Radius
- Reads any data stored in the MySQL database, including user credentials, session tokens, and hosted-domain configuration records.
- Writes arbitrary content to the filesystem by abusing MySQL root-level INTO DUMPFILE privileges, enabling placement of a PHP webshell in the web-accessible roundcube logs directory.
- Executes arbitrary operating system commands as the cwpsvc service account once the webshell is deployed, giving the attacker persistent interactive access to the host.
- Modifies or deletes database rows, allowing tampering with panel configuration, hosted accounts, and access control records.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-57517 is active for all connected environments, matching images that include Control Web Panel versions below 0.9.8.1225. Given the Critical severity (CVSS 9.3) and the zero-authentication, over-the-network exploit path, this CVE is prioritized at the top of the triage queue under standard compliance policies. For customers with auto-remediation enabled, HarborGuard initiates a rebuild against the patched version 0.9.8.1225, runs regression tests on the resulting image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who have not opted into auto-remediation, the rebuilt image is staged and flagged for manual approval. Until the patched image is deployed, compensating controls worth considering include network-policy rules that restrict inbound HTTP access to the Control Web Panel user endpoint, egress filtering to limit outbound connections from the cwpsvc process, and web application firewall rules that block POST requests containing SQL metacharacters on the affected path.
- Control Web Panel / Control Web Panel< 0.9.8.1225 (from 0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N