Skip to main content

CtrlPanel CVE-2026-34246

| EUVDEUVD-2026-30986 MEDIUM
Basic XSS (CWE-80)
2026-05-19 GitHub_M
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 19, 2026 - 22:02 EUVD
Source Code Evidence Fetched
May 19, 2026 - 22:01 vuln.today
Analysis Generated
May 19, 2026 - 22:01 vuln.today

DescriptionGitHub Advisory

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.

AnalysisAI

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

Technical ContextAI

CtrlPanel is a PHP/Laravel-based open-source billing panel for hosting providers (CPE: cpe:2.3:a:ctrlpanel-gg:panel). The vulnerability originates in app/Http/Controllers/Admin/RoleController.php, where the datatable() method constructs HTML strings by directly interpolating $role->name and $role->color without sanitization. Critically, the chained .rawColumns(['actions', 'name']) call explicitly instructs the Laravel DataTables library to bypass its default output escaping for the name column, treating user-controlled database content as trusted raw HTML. Laravel's Blade templating engine normally escapes output via {{ }} syntax, but this server-side DataTables builder circumvents that protection by design - the developer explicitly opted into raw HTML rendering. The root cause class is CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a stored variant where the injection point is the database and the sink is the dynamically built DataTable response rendered in admin browsers.

RemediationAI

Upgrade to CtrlPanel version 1.2.0, which resolves this vulnerability per the official security advisory at https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-wpqj-xwhq-2mmh and the release notes at https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0. Version 1.2.0 is a major release that also includes significant bug fixes across credits, coupons, referrals, and server allocation logic. If immediate upgrade is not feasible, audit all existing role records in the database for suspicious HTML in the name and color fields (e.g., any values containing angle brackets, script tags, or event handler attributes) and remove or sanitize them - this is necessary even after patching if a payload was already injected. Additionally, restrict role creation and edit permissions to the minimum number of trusted admins to reduce the injection attack surface. Note that version 1.2.0 also includes a license change from AGPL 3.0 to Mozilla Public License 2.0, which may have procurement or compliance implications for organizations prior to upgrade.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-34246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy