CVE-2024-51568

CVSS 10 CRITICALEPSS 45.7%CWE-78

Vexday Risk Score

75High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 10EPSS 45.7%KEV nãoPoC públicaNuclei simMetasploit simPatch —

Lifecycle

27 Oct 2024Metasploit module available

29 Oct 2024Published on NVD

02 Sep 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

Affected products

n/a · n/a

public PoCs found — 1

githubgithub.com/jsnv-dev/CVE-2024-51568---CyberPanel-Command-Injection-Nuclei-Template★ 1

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cwe.mitre.org/data/definitions/78.html https://cyberpanel.net/blog/cyberpanel-v2-3-5 https://cyberpanel.net/KnowledgeBase/home/change-logs/https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce