The open source, GPLv3-licensed zPanel project has a security vulnerability that can be exploited by an attacker to obtain root access to the server which was discovered in zPanel. The zPanel development team is working on a patch and a hotfix which can be applied manually is circulating on forums. The flaw exists in the ZPX HTPASSWD module.

The module's failure to adequately check user input means that an authenticated attacker can inject arbitrary shell commands into the server. Head developer Bobby Allen has explicitly advised zPanel users to disable the vulnerable module.

The last time ZPanel was in the headlines was when a support worker posted insulting remarks towards a forum user which provoked other users to take revenge by hacking the main zPanel server.