CVE-2026-41315
Severity CVSS v4.0:
CRITICAL
Type:
CWE-78
OS Command Injections
Publication date:
14/05/2026
Last modified:
27/05/2026
Description
mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:midoks:mdserver-web:*:*:*:*:*:*:*:* | 0.18.0 (including) | 0.18.4 (including) |
To consult the complete list of CPE names with products and versions, see this page



