What is CVE-2026-57517?
CVE-2026-57517 is a blind SQL injection vulnerability in Control Web Panel (CWP), caused by insufficient sanitization of the userRes POST parameter submitted to the panel’s user endpoint before the value is used to build a SQL query. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).
Exploitation is unauthenticated in the sense that no login session is required, but it does depend on the attacker knowing or correctly guessing the username of a valid, non-root account on the target CWP instance. Once that condition is met, the attacker can execute arbitrary SQL queries with the privileges of the MySQL root account.
The practical impact extends well beyond data exposure. Because the MySQL root account on a CWP install carries the global FILE privilege, an attacker can use INTO DUMPFILE to write arbitrary files to writable locations on the server. Researchers demonstrated that this can be used to drop a PHP payload into a web-accessible logs directory, resulting in full remote code execution with the privileges of the cwpsvc account.
What assets are affected by CVE-2026-57517?
The vulnerability affects Control Web Panel versions 0.9.8.1224 and earlier. CWP, formerly known as CentOS Web Panel, is a free server management interface used to administer VPS and dedicated servers running CentOS and its downstream derivatives such as Rocky Linux and AlmaLinux.
In practice, an affected asset is a server exposing the CWP administrative interface, typically reachable at https://[host]:2083/[username]/. Because CWP is built around a shared-hosting model, in which a single server hosts accounts for multiple end customers, the admin interface is frequently left internet-facing by design rather than by oversight.
CWP has a recent history of critical, unauthenticated vulnerabilities, including an OS command injection flaw disclosed in 2025. Products in this category tend to stay exposed longer than average: operators running low-cost or free hosting panels often deprioritize patching relative to commercial infrastructure, and the multi-tenant nature of the platform can make maintenance windows harder to schedule.
What does our data show about exposure patterns?

Exposure in this set is led by Consumer Staples at 32.1% of observed assets, with Consumer Discretionary contributing 28.6%.
The concentration in Consumer Staples and Consumer Discretionary tracks with how these sectors typically run their online infrastructure. Retail, hospitality, and packaged goods organizations frequently operate a mix of regional storefronts, franchise sites, and partner-managed subdomains, often provisioned through low-cost hosting arrangements rather than centrally managed infrastructure. That pattern creates more opportunities for a hosting-panel product like CWP to end up running on an internet-facing server without central IT’s direct oversight.
The broader cross-sector spread, including a meaningful Industrials share, points to a recurring driver behind exposure to this class of vulnerability: visibility gaps around infrastructure provisioned outside the primary IT organization. Marketing microsites, regional subdomains, and vendor- or franchise-managed servers are exactly the kind of assets that tend to run unmonitored software and go unpatched long after a fix is available.
Are fixes available?
Yes. The CWP vendor released version 0.9.8.1225, which fixes the userRes sanitization flaw. Organizations running an earlier version should treat upgrading to 0.9.8.1225 or later as the primary remediation step.
A public proof of concept for CVE-2026-57517 is already available, which increases the likelihood of opportunistic scanning and exploitation attempts against unpatched instances.
Defenders should confirm their running CWP version directly against the vendor’s release notes rather than assuming a scheduled update has already applied the fix, particularly on servers managed by a hosting provider or reseller rather than in-house.
Are there any other recommended actions to take?
Until every instance is confirmed patched, defenders should:
- Inventory all CWP instances and confirm the installed version against 0.9.8.1225
- Restrict access to port
2083to trusted management IP ranges - Audit CWP usernames for predictability and rotate any easily guessable accounts
- Monitor web server and MySQL logs for anomalous
userResparameter values - Check the
/usr/local/cwpsrv/var/services/roundcube/logs/directory for unexpected PHP files - Rotate MySQL root credentials on any instance that cannot be immediately patched
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-57517 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.