HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-57517Published Modified CNA VulnCheck

CVE-2026-57517: Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
0.9.8.1225
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Blind SQL injection in Control Web Panel before version 0.9.8.1225 allows an unauthenticated remote attacker to submit malicious input through the userRes POST parameter at the user endpoint, bypassing all authentication entirely. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation gives the attacker full read and write access to the underlying MySQL database (running as root), the ability to drop a PHP webshell into the web-accessible roundcube logs directory, and remote code execution as the cwpsvc service account. A patched-image rebuild at version 0.9.8.1225 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-57517 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Control Web Panel. No manual configuration is required for the match to run.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 9.3 (Critical) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage alerts are routed to the inbox or ticket queue configured by each customer's policy, so the right team sees the finding without manual sorting.

Available
Patch

A patched-image rebuild at Control Web Panel version 0.9.8.1225 becomes available on HarborGuard the moment the fix version is indexed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP POST requests to the target host to exploit this vulnerability.

  • AuthenticationNot required

    No credentials of any kind are needed; the injection point in the userRes parameter is reachable by any unauthenticated request.

  • Victim interactionNot required

    Exploitation is fully automated and requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or special environmental factors required.

Blast Radius

  • Reads any data stored in the MySQL database, including user credentials, session tokens, and hosted-domain configuration records.
  • Writes arbitrary content to the filesystem by abusing MySQL root-level INTO DUMPFILE privileges, enabling placement of a PHP webshell in the web-accessible roundcube logs directory.
  • Executes arbitrary operating system commands as the cwpsvc service account once the webshell is deployed, giving the attacker persistent interactive access to the host.
  • Modifies or deletes database rows, allowing tampering with panel configuration, hosted accounts, and access control records.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-57517 is active for all connected environments, matching images that include Control Web Panel versions below 0.9.8.1225. Given the Critical severity (CVSS 9.3) and the zero-authentication, over-the-network exploit path, this CVE is prioritized at the top of the triage queue under standard compliance policies. For customers with auto-remediation enabled, HarborGuard initiates a rebuild against the patched version 0.9.8.1225, runs regression tests on the resulting image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who have not opted into auto-remediation, the rebuilt image is staged and flagged for manual approval. Until the patched image is deployed, compensating controls worth considering include network-policy rules that restrict inbound HTTP access to the Control Web Panel user endpoint, egress filtering to limit outbound connections from the cwpsvc process, and web application firewall rules that block POST requests containing SQL metacharacters on the affected path.

See how HarborGuard automates this

Fix available

0.9.8.1225
Affected packages
  • Control Web Panel / Control Web Panel
    < 0.9.8.1225 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N