CVE-2026-41315

Severity CVSS v4.0:
CRITICAL
Type:
CWE-78 OS Command Injections
Publication date:
14/05/2026
Last modified:
27/05/2026

Description

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:midoks:mdserver-web:*:*:*:*:*:*:*:* 0.18.0 (including) 0.18.4 (including)