CVE-2026-34241— CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ctrlpanel-gg | panel | < 1.2.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34241
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking
Source: NVD (National Vulnerability Database)
Vulnerability Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
CtrlPanel.gg 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CtrlPanel.gg是CtrlPanel.gg开源的一款主机服务计费管理工具。 CtrlPanel.gg 1.1.1及之前版本存在跨站脚本漏洞,该漏洞源于工单回复通知系统中未对回复内容进行清理,直接存储到数据库通知负载中,并通过Blade的{!! !!}语法未转义渲染,可能导致存储型跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Ctrlpanel-gg | panel | < 1.2.0 | - |
II. Public POCs for CVE-2026-34241
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Real sandbox recording· Watch the recording below to confirm the POC actually triggers the vulnerability.
Sandbox build & launch
Qwen3.6-35B-A3B · 8709 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-34241
请登录查看更多情报信息。
Other · 1Advisory · 1
- Release 1.2.0 · Ctrlpanel-gg/panel · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-34241
Same Patch Batch · Ctrlpanel-gg · 2026-05-19 · 6 CVEs total
| CVE-2026-34234 | 10.0 CRITICAL | CtrlPanel: Unauthenticated RCE using installer script |
| CVE-2026-34358 | 8.1 HIGH | CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass |
| CVE-2026-34216 | 6.6 MEDIUM | CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in Settings |
| CVE-2026-34233 | 6.5 MEDIUM | CtrlPanel has Missing Authentication Checks in Datatable Admin Endpoints |
| CVE-2026-34246 | 4.8 MEDIUM | CtrlPanel: Stored XSS in Admin Role Management via Unescaped DataTable HTML Output |
IV. Related Vulnerabilities
Same product: panel
- CVE-2026-34358
CtrlPanel: Missing Authorization on Admin Write Endpoints Al - CVE-2026-34246
CtrlPanel: Stored XSS in Admin Role Management via Unescaped - CVE-2026-34234
CtrlPanel: Unauthenticated RCE using installer script - CVE-2026-34233
CtrlPanel has Missing Authentication Checks in Datatable Adm - CVE-2026-34216
CtrlPanel: Authenticated Remote Code Execution via Dynamic C
Same vendor: Ctrlpanel-gg
- CVE-2026-34358
CtrlPanel: Missing Authorization on Admin Write Endpoints Al - CVE-2026-34246
CtrlPanel: Stored XSS in Admin Role Management via Unescaped - CVE-2026-34234
CtrlPanel: Unauthenticated RCE using installer script - CVE-2026-34233
CtrlPanel has Missing Authentication Checks in Datatable Adm - CVE-2026-34216
CtrlPanel: Authenticated Remote Code Execution via Dynamic C
Same weakness: CWE-79
- CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XS - CVE-2026-3481
WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via ' - CVE-2026-7509
KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input Du - CVE-2026-6864
CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site S - CVE-2026-9104
Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-S
V. Comments for CVE-2026-34241
No comments yet