aaPanel Local File Inclusion Vulnerability Allowing Sensitive Information Exposure

A local file inclusion vulnerability has been identified in aaPanel version 7.57.0. This vulnerability arises from inadequate path validation, allowing attackers to include and execute files from the server's file system. Exploitation of this vulnerability can lead to the exposure of sensitive information, such as system files containing password hashes, which could be used for further attacks.

Impact

Exploitation of this vulnerability allows authenticated users to read sensitive system files, such as /etc/passwd and /etc/shadow. This access could lead to the disclosure of credentials or password hashes, with a strong likelihood of full system compromise, as the application runs with root privileges.

Reproduction

The vulnerability can be reproduced by sending a request to the '/download' endpoint with a 'filename' parameter that includes a path traversal payload. This payload should navigate to sensitive system files, such as '/etc/passwd' or '/etc/shadow'. Alternatively, if the stored XSS vulnerability CVE-2026-29859 has been exploited, the same file inclusion can be achieved by injecting a script that redirects to the download URL with the desired filename parameter.