Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.
AnalysisAI
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
Technical ContextAI
CtrlPanel is a PHP/Laravel-based open-source billing panel for hosting providers (CPE: cpe:2.3:a:ctrlpanel-gg:panel). The vulnerability originates in app/Http/Controllers/Admin/RoleController.php, where the datatable() method constructs HTML strings by directly interpolating $role->name and $role->color without sanitization. Critically, the chained .rawColumns(['actions', 'name']) call explicitly instructs the Laravel DataTables library to bypass its default output escaping for the name column, treating user-controlled database content as trusted raw HTML. Laravel's Blade templating engine normally escapes output via {{ }} syntax, but this server-side DataTables builder circumvents that protection by design - the developer explicitly opted into raw HTML rendering. The root cause class is CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a stored variant where the injection point is the database and the sink is the dynamically built DataTable response rendered in admin browsers.
RemediationAI
Upgrade to CtrlPanel version 1.2.0, which resolves this vulnerability per the official security advisory at https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-wpqj-xwhq-2mmh and the release notes at https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0. Version 1.2.0 is a major release that also includes significant bug fixes across credits, coupons, referrals, and server allocation logic. If immediate upgrade is not feasible, audit all existing role records in the database for suspicious HTML in the name and color fields (e.g., any values containing angle brackets, script tags, or event handler attributes) and remove or sanitize them - this is necessary even after patching if a payload was already injected. Additionally, restrict role creation and edit permissions to the minimum number of trusted admins to reduce the injection attack surface. Note that version 1.2.0 also includes a license change from AGPL 3.0 to Mozilla Public License 2.0, which may have procurement or compliance implications for organizations prior to upgrade.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30986