CVE-2026-41473CRITICAL 9.1EPSS p50.9%

CVE-2026-41473CVE-2026-41473

Description

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.77% probability of exploitation · percentile 50.9% · 2026-06-19T12:03:05Z
Published2026-04-24
Last modified2026-04-28

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961
  2. https://itsrez.re/post/cyberpanel-rce
  3. https://www.vulncheck.com/advisories/cyberpanel-unauthenticated-api-access-via-ai-scanner-endpoints

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CyberPanel Incorrect Default Permissions Vulnerability
CVE
CVE-2026-41394
CVE
CVE-2025-25268
CVE
CVE-2026-28710
CVE
CVE-2026-41454
CVE
CVE-2026-24789
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.