CVE-2026-34216: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Ctrlpanel-gg panel
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0.
AI Analysis
Technical Summary
CVE-2026-34216 is an unsafe reflection vulnerability (CWE-470) in CtrlPanel (versions prior to 1.2.0). The admin settings update endpoint reads a class name from user input and uses it directly to instantiate objects and call static methods without allowlist validation. Because PHP resolves class names at runtime via the Composer autoloader, any autoloadable class can be instantiated, potentially triggering side effects through constructors or magic methods such as __construct, __toString, or __wakeup. This can lead to authenticated remote code execution by abusing PHP object injection or gadget chains.
Potential Impact
An authenticated admin-level user can supply arbitrary class names to the vulnerable endpoint, leading to remote code execution. This can compromise confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 6.6 (medium severity), reflecting the need for admin privileges and high attack complexity.
Mitigation Recommendations
This vulnerability is fixed in CtrlPanel version 1.2.0. Users should upgrade to version 1.2.0 or later to remediate this issue. No official patch or temporary workaround is indicated in the advisory. Until upgrading, restrict admin access to trusted users only.
CVE-2026-34216: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Ctrlpanel-gg panel
Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34216 is an unsafe reflection vulnerability (CWE-470) in CtrlPanel (versions prior to 1.2.0). The admin settings update endpoint reads a class name from user input and uses it directly to instantiate objects and call static methods without allowlist validation. Because PHP resolves class names at runtime via the Composer autoloader, any autoloadable class can be instantiated, potentially triggering side effects through constructors or magic methods such as __construct, __toString, or __wakeup. This can lead to authenticated remote code execution by abusing PHP object injection or gadget chains.
Potential Impact
An authenticated admin-level user can supply arbitrary class names to the vulnerable endpoint, leading to remote code execution. This can compromise confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 6.6 (medium severity), reflecting the need for admin privileges and high attack complexity.
Mitigation Recommendations
This vulnerability is fixed in CtrlPanel version 1.2.0. Users should upgrade to version 1.2.0 or later to remediate this issue. No official patch or temporary workaround is indicated in the advisory. Until upgrading, restrict admin access to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-26T15:57:52.324Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0cd03bba1db47362edbc4b
Added to database: 5/19/2026, 9:03:55 PM
Last enriched: 5/19/2026, 9:18:32 PM
Last updated: 5/20/2026, 1:33:13 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.