CVE-2026-29858

HighPublic PoC

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0006 17.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29858 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Aapanel Aapanel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of file path inputs to prevent LFI attacks exploiting lack of path validation in aaPanel.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific LFI flaw in aaPanel v7.57.0 to eliminate the vulnerability.

SI-9 Information Input Restrictions good match

prevent

Restricts file path inputs to authorized values and locations, blocking LFI traversal to sensitive files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Remote unauthenticated LFI in public-facing aaPanel web app directly matches T1190 exploitation; resulting arbitrary local file reads enable T1005 data collection from the system (configs, credentials).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.

Deeper analysisAI

CVE-2026-29858 affects aaPanel version 7.57.0, where a lack of path validation enables local file inclusion (LFI) attacks, leading to sensitive information exposure. Published on 2026-03-18, this vulnerability is classified under CWE-98 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Successful exploitation allows reading arbitrary local files on the affected server, potentially exposing configuration data, credentials, or other sensitive content.

Mitigation details and further analysis are available in referenced sources, including the official aaPanel GitHub repository at https://github.com/aapanel/aapanel and vulnerability research at https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29858.