## https://sploitus.com/exploit?id=D7050BD2-7A8F-505B-9837-BB5B2C42C9CC
# CVE-2026-50979: Authenticated Remote Code Execution in oPanel
## Overview
* **CVE ID:** CVE-2026-50979
* **Product:** oPanel
* **Affected Versions:** v1.19.50 and earlier
* **Vulnerability Type:** Authenticated Command Injection / Remote Code Execution (RCE)
* **Vulnerable Component:** `/advanced/curl` endpoint
* **Severity:** Critical
## Description
A command injection vulnerability exists in the `advanced/curl` endpoint of oPanel (versions v1.19.50 and earlier). The application fails to adequately sanitize user-supplied input provided to the `url` parameter before passing it to the system's underlying `curl` execution routine.
An authenticated attacker can bypass basic space restrictions using shell variables (such as `${IFS}`) and inject arbitrary operating system commands (e.g., using the `;` operator). This allows the attacker to execute arbitrary code on the underlying server with the privileges of the web application.
## Impact
Successful exploitation permits an authenticated user to execute arbitrary shell commands on the server hosting oPanel. This can lead to complete system compromise, unauthorized data access, and further lateral movement within the network.
## Proof of Concept (PoC)
The vulnerability is triggered by sending a crafted HTTP POST request to the vulnerable endpoint after successful authentication.
**Vulnerable Endpoint:**
`POST /advanced/curl` *(typically accessed via port 2083)*
**Malicious Payload Structure:**
```http
POST /advanced/curl HTTP/1.1
Host: :2083
Content-Type: application/x-www-form-urlencoded
Cookie:
url=[http://example.com/;id](http://example.com/;id)