CVE-2026-41315
mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE.
| CWE | CWE-78 CWE-862 |
| Vendor | midoks |
| Product | mdserver-web |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for midoks mdserver-web
Be the first to know when new unknown vulnerabilities affecting midoks mdserver-web are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
midoks / mdserver-web
>= 0.18.0, <= 0.18.4