Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

1Panel-dev — Vulnerabilities & Security Advisories 53

Browse all 53 CVE security advisories affecting 1Panel-dev. AI-powered Chinese analysis, POCs, and references for each vulnerability.

1Panel-dev is an open-source, modern Linux server management tool designed to simplify the deployment and management of web applications through a graphical interface. Its architecture integrates containerization technologies, allowing users to manage databases, proxies, and monitoring services efficiently. Historically, the platform has been associated with forty-four recorded Common Vulnerabilities and Exposures (CVEs), predominantly involving remote code execution, cross-site scripting, and privilege escalation flaws. These vulnerabilities often stem from insufficient input validation in API endpoints or improper access control mechanisms within the web interface. Notable incidents include critical RCE exploits that allowed unauthenticated attackers to gain full system control, highlighting risks inherent in complex management panels. While the project actively patches these issues, the high volume of past CVEs underscores the importance of rigorous security auditing for administrators relying on this tool for critical infrastructure management.

Top products by 1Panel-dev: MaxKB 1Panel KubePi CordysCRM
CVE IDTitleCVSSSeverityPublished
CVE-2026-56779 MaxKB < 2.10.0 - Server-Side Request Forgery via downloadCallbackUrl and download_url Parameters — MaxKBCWE-918 6.4 Medium2026-06-25
CVE-2026-10567 1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting — CordysCRMCWE-79 3.5 Low2026-06-02
CVE-2026-10514 1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting — CordysCRMCWE-79 2.4 Low2026-06-01
CVE-2026-42336 MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch — MaxKBCWE-367--2026-05-26
CVE-2026-42337 MaxKB: Broken Access Control in MaxKB OSS URL Fetch API — MaxKBCWE-862--2026-05-26
CVE-2026-44847 MaxKB: Webhook Trigger Authentication Bypass — MaxKBCWE-287 7.5 High2026-05-26
CVE-2026-45412 MaxKB: Unauthenticated SSRF via Workflow Template Import — MaxKBCWE-918--2026-05-26
CVE-2026-45413 MaxKB: Unsalted MD5 Password Hashing — MaxKBCWE-328--2026-05-26
CVE-2026-42335 MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy — MaxKBCWE-918--2026-05-26
CVE-2026-39426 MaxKB: Stored XSS via Unsanitized iframe_render Parsing — MaxKBCWE-79 5.4 -2026-04-14
CVE-2026-39425 MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering — MaxKBCWE-80 5.4 -2026-04-14
CVE-2026-39419 MaxKB: Sandbox Result Validation Bypass via Tool Output Spoofing — MaxKBCWE-74 3.1 Low2026-04-14
CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality — MaxKBCWE-1236 7.8 -2026-04-14
CVE-2026-39423 Stored XSS via Eval Injection in EchartsRander Component — MaxKBCWE-79 5.4 -2026-04-14
CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware — MaxKBCWE-79 5.4 -2026-04-14
CVE-2026-39421 MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect — MaxKBCWE-693 6.3 Medium2026-04-14
CVE-2026-39420 MaxKB: Sandbox escape via LD_PRELOAD bypass — MaxKBCWE-693 6.3 Medium2026-04-14
CVE-2026-39418 MaxKB: SSRF via sandbox network hook bypass — MaxKBCWE-918 5.0 Medium2026-04-14
CVE-2026-39417 MaxKB: RCE via MCP stdio command injection in workflow engine — MaxKBCWE-78 4.6 Medium2026-04-14
CVE-2025-15632 1Panel-dev MaxKB MdPreview chat.ts cross site scripting — MaxKBCWE-79 3.5 Low2026-04-13
CVE-2026-6108 1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection — MaxKBCWE-78 6.3 Medium2026-04-12
CVE-2026-6107 1Panel-dev MaxKB ChatHeadersMiddleware chat_headers_middleware.py cross site scripting — MaxKBCWE-79 3.5 Low2026-04-12
CVE-2026-6106 1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting — MaxKBCWE-79 3.5 Low2026-04-11
CVE-2026-23525 1panel App Store vulnerable to Cross-site Scripting — 1PanelCWE-79 6.4 Medium2026-01-18
CVE-2025-66446 MaxKB has a Python sandbox LD_PRELOAD bypass — MaxKBCWE-362 8.8 High2025-12-11
CVE-2025-66419 MaxKB vulnerable to privilege escalation through sandbox bypass — MaxKBCWE-362 8.8 High2025-12-11
CVE-2025-66508 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers — 1PanelCWE-290 6.5 Medium2025-12-09
CVE-2025-66507 1Panel – CAPTCHA Bypass via Client-Controlled Flag — 1PanelCWE-602 7.5 High2025-12-09
CVE-2025-64703 MaxKB has Information Leak in sandbox — MaxKBCWE-200 6.3 Medium2025-11-13
CVE-2025-64511 MaxKB has SSRF in sandbox — MaxKBCWE-918 7.4 High2025-11-13

This page lists every published CVE security advisory associated with 1Panel-dev. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.