CVE-2025-67888
Published: 08 May 2026
Summary
CVE-2025-67888 is a high-severity OS Command Injection (CWE-78) vulnerability in Karmainsecurity (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Control Web Panel (CWP) versions prior to 0.9.8.1209 contain an OS command injection vulnerability tracked as CVE-2025-67888. The flaw occurs because user input supplied through the "key" GET parameter to /admin/index.php (when the "api" parameter is also present) is not sanitized before being passed to system command execution. Exploitation requires that either Softaculous or SitePad is installed on the server, and the issue is classified under CWE-78 with a CVSS 3.1 score of 7.3.
Unauthenticated remote attackers can supply crafted input to the affected endpoint and execute arbitrary operating-system commands with root privileges on the web server. No authentication or user interaction is needed, allowing direct command injection over the network when the prerequisite plugins are present.
Public references, including disclosures from KarmaInSecurity and entries on Seclists and the CentOS WebPanel wiki, point to the availability of version 0.9.8.1209 as the corrective release. The EPSS score has reached a peak of 0.43 with a current value of 0.40, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209736
Vulnerability details
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can…
more
be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.