CVE-2026-41315

9.8 CRITICAL

mdserver-web is a simple Linux panel

Published: 2026-05-14 · Last updated: 2026-05-27

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78, CWE-862

Affected products

Vendor	Product
midoks	mdserver-web

Description

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-41315
[Vendor advisory]https://github.com/midoks/mdserver-web/security/advisories/GHSA-3h92-g9hr-xc25
[Vendor advisory]https://github.com/midoks/mdserver-web/security/advisories/GHSA-3h92-g9hr-xc25

Related CVEs

Same CWE

CVE-2026-42846 — ClipBucket v5 is an open source video sharing platform (9.8 CRITICAL)
CVE-2026-45172 — Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0....
CVE-2026-53818 — OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to ski... (6.6 MEDIUM)
CVE-2026-53816 — OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to... (7.2 HIGH)
CVE-2026-53815 — OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks (6.5 MEDIUM)