CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-57517

criticalpublic exploitCVSS 9.8covered by 1 sourcefirst seen 2026-07-01
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-57517 is indexed in GitHub PoC. Expect opportunistic scanning and exploitation attempts — prioritize remediation even though it is not (yet) in the CISA KEV catalog.
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.

⚡ Watch CVE-2026-57517

Get an email if CVE-2026-57517 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Exploit availability

Public exploit or proof-of-concept code for CVE-2026-57517 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.

Advisory coverage (1)

External references

NVD record for CVE-2026-57517

CVE.org record

Embed the live status

CVE-2026-57517 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-57517 status](https://www.csirts.com/badge/CVE-2026-57517)](https://www.csirts.com/cve/CVE-2026-57517)