# CyberPanel < 2.4.4 Stored Cross-Site Scripting (XSS) Vulnerability Summary ## Vulnerability Overview * **Vulnerability Title**: CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard * **Vulnerability Type**: Stored Cross-Site Scripting (Stored XSS) * **Severity**: Medium * **Release Date**: 2026/4/24 * **CVSS Score**: 4.2 * **CVSS Vector**: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:PVC:N/VI:N/VA:N/SC:H/SE:H/SA:N` * **Vulnerability Description**: Versions of CyberPanel prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard. The `POST /api/ai-scanner/callback` endpoint lacks authentication, allowing unauthenticated attackers to inject malicious JavaScript by overwriting the `findings_json` field in scan theory records. When an administrator accesses the AI Scanner dashboard, the attack script executes, enabling the attacker to send same-origin requests to implant cron jobs and achieve remote code execution (RCE) on the server. ## Affected Scope * **Affected Software**: CyberPanel * **Affected Versions**: All versions prior to 2.4.4 ## Remediation * **Upgrade Software**: Upgrade CyberPanel to version 2.4.4 or later. ## References * [Researcher Disclosure](https://www.vulncheck.com/advisories/cyberpanel-2-4-4-stored-xss-via-ai-scanner-dashboard) * [Patch Commit](https://www.vulncheck.com/advisories/cyberpanel-2-4-4-stored-xss-via-ai-scanner-dashboard)