CVE-2026-29856

HighPublic PoC

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0007 22.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29856 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Aapanel Aapanel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of the specific ReDoS flaw in aaPanel's VirtualHost parser through patching as referenced in the vulnerability repositories.

SI-10 Information Input Validation good match

prevent

Validates and rejects crafted inputs to the VirtualHost configuration parser to prevent triggering the inefficient regular expression processing leading to CPU exhaustion.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections such as rate limiting or traffic filtering to mitigate remote unauthenticated resource exhaustion attacks exploiting the ReDoS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

ReDoS vulnerability in public-facing aaPanel parser directly enables remote unauthenticated attackers to trigger application-level resource exhaustion (CPU) via crafted input, mapping to Endpoint DoS via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.

Deeper analysisAI

CVE-2026-29856 is a Regular Expression Denial of Service (ReDoS) vulnerability in the VirtualHost configuration handling/parser component of aaPanel version 7.57.0. The flaw, classified under CWE-400 (Uncontrolled Resource Consumption), allows attackers to trigger excessive CPU usage through a crafted input that exploits inefficient regular expression processing. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for significant availability impact.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting a specially crafted input to the affected VirtualHost parser, an attacker can cause the application to enter a computationally expensive matching loop, leading to resource exhaustion and denial of service on the targeted aaPanel instance.

Mitigation details and further technical analysis are available in the official aaPanel GitHub repository at https://github.com/aapanel/aapanel and the vulnerability research repository at https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29856. Security practitioners should review these sources for patches, workarounds, or updated configurations specific to aaPanel v7.57.0.