Cyber Resilience

CVE-2025-67888

High

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.3999 97.4th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67888 is a high-severity OS Command Injection (CWE-78) vulnerability in Karmainsecurity (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Control Web Panel (CWP) versions prior to 0.9.8.1209 contain an OS command injection vulnerability tracked as CVE-2025-67888. The flaw occurs because user input supplied through the "key" GET parameter to /admin/index.php (when the "api" parameter is also present) is not sanitized before being passed to system command execution. Exploitation requires that either Softaculous or SitePad is installed on the server, and the issue is classified under CWE-78 with a CVSS 3.1 score of 7.3.

Unauthenticated remote attackers can supply crafted input to the affected endpoint and execute arbitrary operating-system commands with root privileges on the web server. No authentication or user interaction is needed, allowing direct command injection over the network when the prerequisite plugins are present.

Public references, including disclosures from KarmaInSecurity and entries on Seclists and the CentOS WebPanel wiki, point to the availability of version 0.9.8.1209 as the corrective release. The EPSS score has reached a peak of 0.43 with a current value of 0.40, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can…

more

be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-44724Shared CWE-78
CVE-2025-60962Shared CWE-78
CVE-2025-11005Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2025-23316Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-56084Shared CWE-78
CVE-2026-4631Shared CWE-78
CVE-2025-50475Shared CWE-78

Affected Assets

Karmainsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References