CVE-2024-53584

CRITICAL

OpenPanel v0.3.4 - OS Command Injection via Timezone Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-53584. PoCs published by Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee.

AI-analyzed exploit summary This exploit demonstrates an OS command injection vulnerability in OpenPanel 0.3.4 via the `/server/timezone` endpoint. The payload injects a command to read `/etc/shadow` and write it to a file, confirming arbitrary command execution.

Description

OpenPanel v0.3.4 was discovered to contain an OS command injection vulnerability via the timezone parameter.

Exploits (1)

exploitdb WORKING POC

by Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee · textwebappsmultiple

https://www.exploit-db.com/exploits/52197

View Code ZIP pw:eip

This exploit demonstrates an OS command injection vulnerability in OpenPanel 0.3.4 via the `/server/timezone` endpoint. The payload injects a command to read `/etc/shadow` and write it to a file, confirming arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: OpenPanel 0.3.4

Auth required

Prerequisites: Valid session cookie · Access to the `/server/timezone` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link

https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes

Exploit

https://packetstorm.news/files/id/188915/

Scores

CVSS v3 9.8

EPSS 0.0392

EPSS Percentile 88.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

openpanel/openpanel 0.3.4

Published Jan 31, 2025

Tracked Since Feb 18, 2026