Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
• Software Link:
• Affected Versions:
Version 0.9.8.1224 and prior versions.
• Vulnerability Description:
User input passed through the “userRes” POST parameter to https://[CWP_Host]:2083/[CWP_Username]/ is not properly sanitized before being used to construct an SQL query. This can be exploited by remote, unauthenticated attackers to carry out (blind) SQL Injection attacks.
Successful exploitation of this vulnerability requires the attacker to know or correctly guess the username of a valid non-root account on the affected CWP instance.
NOTE: successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries with the privileges of the MySQL root user. Because this account possesses the global FILE privilege, the vulnerability can be leveraged to write arbitrary files to writable locations on the underlying filesystem using MySQL’s file output capabilities (e.g., INTO DUMPFILE). By writing a malicious PHP payload to the web-accessible /usr/local/cwpsrv/var/services/roundcube/logs/ directory, an attacker might be able to execute arbitrary PHP code remotely, resulting in full Remote Code Execution (RCE) on the affected CWP instance with the privileges of the cwpsvc account.
• Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-57517.php
• Solution:
Upgrade to version 0.9.8.1225 or later.
• Disclosure Timeline:
[XX/YY/2025] – Vulnerability discovered
[06/05/2026] – Version 0.9.8.1225 released, issue fixed by the vendor
[26/06/2026] – CVE identifier requested
[26/06/2026] – CVE identifier assigned
[01/07/2026] – Public disclosure
• CVE Reference:
CVE-2026-57517 has been assigned to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.