We would like to provide a technical clarification regarding reports and references associated with CVE-2025-67888 that mention Softaculous or SitePad.
After reviewing the issue and the reported execution path, we have not identified vulnerable code related to this issue within the Softaculous or SitePad codebases.
Clarification on the Affected Component
Softaculous and SitePad integrate with CentOS Web Panel (CWP) using APIs provided by CWP. These APIs are used for tasks such as retrieving domains, databases, account information, and other hosting related data required for integration.
When Softaculous or SitePad are installed in CWP environments, the API functionality is enabled using CWP’s own mechanism:
sh /scripts/install_apiThis API implementation is provided and maintained by the CWP project.
It is also important to clarify that this API functionality is not exclusive to Softaculous or SitePad.
Any environment where the CWP API was enabled manually using the above command, or where another module, plugin, extension, or third-party integration utilized the same CWP API functionality, would interact with the same underlying CWP implementation.
As a result, the reported issue should not be interpreted as being specific to Softaculous or SitePad installations.
About the “key” Parameter Mentioned in Reports
Some reports reference a key parameter and associate it with Softaculous or SitePad integration.
We would like to clarify that values passed by Softaculous or SitePad are fetched internally and are not directly supplied by end users through Softaculous or SitePad interfaces.
Our review indicates that the parameter handling leading to the reported issue does not originate from Softaculous or SitePad code.
Exploitation Path
Based on our analysis, the execution path associated with the issue targets CWP functionality directly through CWP administrative components.
https://[CWP]/admin/index.php?api=1&key=$(cmd)The reported execution does not require Softaculous or SitePad to be installed in order to reach the vulnerable code path.
As a result, removing Softaculous or SitePad should not be considered a mitigation step for this issue.
Remediation Guidance
Users running affected CWP installations should:
- Update CWP to the version containing the fix.
- Follow remediation guidance issued by the CWP team.
- Apply all security updates released by CWP.
Our understanding is that the remediation was delivered through CWP updates, which further indicates that the affected implementation resides within CWP components.
Working with Security Researchers
We appreciate the work performed by security researchers and vulnerability reporting teams.
We have contacted the reporting parties to request clarification of component attribution.
If any researcher, hosting provider, or security team would like additional technical details, they are welcome to contact the Softaculous team.
We remain committed to responsible disclosure practices and accurate vulnerability attribution.