Cyber Resilience

CVE-2026-29858

HighPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29858 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Aapanel Aapanel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29858 affects aaPanel version 7.57.0, where a lack of path validation enables local file inclusion (LFI) attacks, leading to sensitive information exposure. Published on 2026-03-18, this vulnerability is classified under CWE-98 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Successful exploitation allows reading arbitrary local files on the affected server, potentially exposing configuration data, credentials, or other sensitive content.

Mitigation details and further analysis are available in referenced sources, including the official aaPanel GitHub repository at https://github.com/aapanel/aapanel and vulnerability research at https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29858.

EU & UK References

Vulnerability details

A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Remote unauthenticated LFI in public-facing aaPanel web app directly matches T1190 exploitation; resulting arbitrary local file reads enable T1005 data collection from the system (configs, credentials).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29859Same product: Aapanel Aapanel
CVE-2026-29856Same product: Aapanel Aapanel
CVE-2025-68537Shared CWE-98
CVE-2026-28079Shared CWE-98
CVE-2026-28061Shared CWE-98
CVE-2026-28048Shared CWE-98
CVE-2026-22516Shared CWE-98
CVE-2026-28120Shared CWE-98
CVE-2025-67992Shared CWE-98
CVE-2025-31432Shared CWE-98

Affected Assets

aapanel
aapanel
7.57.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file path inputs to prevent LFI attacks exploiting lack of path validation in aaPanel.

prevent

Mandates identification, reporting, and correction of the specific LFI flaw in aaPanel v7.57.0 to eliminate the vulnerability.

prevent

Restricts file path inputs to authorized values and locations, blocking LFI traversal to sensitive files.

References