CWP needs to move forward - Fast

Controlling network services, protocols, and port access to and from CWP servers is relatively straightforward. By deploying a properly configured firewall between the internet and your CWP infrastructure, administrators can tightly regulate traffic and tailor access according to their specific requirements. In practice, this means CWP environments can be isolated and managed with a high degree of flexibility.

However, while network-level controls are important, they are not the primary concern.

The more pressing issue lies in end-of-life (EOL) applications and or operating systems that continue to exist within the CWP ecosystem. These outdated components often carry known security vulnerabilities, making them a significant risk regardless of how well the surrounding network is protected. A firewall cannot mitigate vulnerabilities that are already present within the system itself.

For this reason, addressing EOL applications and or operating systems and their associated security issues should be the top priority for CWP development. Failing to remediate these risks undermines the effectiveness of all other security measures. From a security standpoint, it is difficult to justify prioritizing new features or secondary improvements over resolving known, exploitable weaknesses.

In short, strong perimeter defenses are valuable—but they are not a substitute for maintaining a secure and up-to-date software stack. Ensuring that all components are supported and free from known vulnerabilities must come first.

It is a significant red flag when CWP developers do not prioritise security fixes above all other development efforts. In any system exposed to the internet, security is not just another item on the roadmap—it is the foundation everything else depends on.

When known vulnerabilities or end-of-life components remain unaddressed, it signals a misalignment in priorities. New features, interface improvements, or performance enhancements may add value, but they do not reduce risk. In fact, continuing development without first resolving security issues can compound that risk by increasing system complexity while leaving existing weaknesses intact.

There is little justification for delaying security remediation, particularly when vulnerabilities are already identified and potentially exploitable. In modern software development, responsible practices—such as timely patching, dependency management, and proactive vulnerability mitigation—are not optional; they are baseline expectations.

Failing to treat security as the top priority undermines user trust and places the burden of risk mitigation on system administrators, who are then forced to rely on external controls like firewalls to compensate for weaknesses that should have been addressed at the source.

Ultimately, security should lead development, not follow it. Anything less raises serious concerns about the long-term reliability and safety of the platform.

All the latest versions 0.9.8.1221 to the current 09.8.1124 have all be releases for control panel security fixes.

The last CVE (CVE-2025-48703) was patched back in 0.9.8.1205

Last version that updated PHP was 0.9.8.1220

So they are prioritizing security fixes above updating control panel features.

Last version that updated PHP was 0.9.8.1220

CWP is running... in PHP 7.

So they are prioritizing security fixes above updating control panel features.

No.

The last CVE (CVE-2025-48703) was patched back in 0.9.8.1205

No. There are multiple CVE still active and ignored.

And that doesn't count the CVEs that are active in all the other software that CWP uses. We are talking ONLY in CVEs in CWP itself.
Because if we are going the route of CVEs that are active in the outdated software related with CWP services...

All the latest versions 0.9.8.1221 to the current 09.8.1124 have all be releases for control panel security fixes.

Do you know that... how?
What changed? what CVE was fixed? What file? What was the security fix made?
Can you provide ANY explanation?


Also: i have a test server where i monitor the changes made in CWP files after every update. Do you really wanna know what changed?
There was a update where the only change was a date string. And that increase the number of the update version.
Do you consider that a priority in the update for CWP future? I don't...