CVE-2026-34246
Deferred Deferred - Pending Action
Stored XSS in CtrlPanel Admin Role Management

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-34246
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ctrlpanel ctrlpanel to 1.2.0 (exc)
ctrlpanel ctrlpanel 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in CtrlPanel, an open-source billing software for hosting providers, affecting versions 1.1.1 and prior.

Specifically, in the admin role management interface, the software directly inserts unsanitized role name and color values into HTML and style attributes. This allows an admin with role creation or edit permissions to inject malicious scripts into these fields.

When other admins load the roles page, the malicious script executes in their browsers, leading to potential session hijacking, credential theft, privilege escalation, and persistent backdoors.

This vulnerability was fixed in version 1.2.0.

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the admin role management interface of CtrlPanel versions 1.1.1 and prior. Detection involves checking if malicious scripts are present in the role name or color fields that get rendered without sanitization.

Since the vulnerability is triggered when an admin loads the /admin/roles page, you can detect it by inspecting the HTML content of that page for suspicious script injections or payloads such as <img src=x onerror="alert('XSS_POC')"> in the role name or color fields.

There are no specific commands provided in the available information to detect this vulnerability automatically on your system or network.

Impact Analysis

This vulnerability can have several serious impacts:

  • Session hijacking through cookie theft, allowing attackers to impersonate admins.
  • Credential harvesting by displaying fake login prompts or using keyloggers.
  • Lateral privilege escalation by performing admin actions on behalf of other admins.
  • A persistent backdoor that executes malicious code every time the affected page is loaded until the malicious role record is removed.
Mitigation Strategies

The vulnerability has been resolved in CtrlPanel version 1.2.0. The immediate mitigation step is to upgrade your CtrlPanel installation to version 1.2.0 or later.

Until you can upgrade, you should restrict admin permissions to trusted users only, especially those with role creation or edit permissions, to prevent injection of malicious payloads.

Additionally, review and remove any suspicious or malicious role entries from the database that may contain injected scripts to stop persistent exploitation.

Compliance Impact

The vulnerability allows stored Cross-Site Scripting (XSS) attacks that can lead to session hijacking, credential theft, and unauthorized admin actions. Such security breaches can result in unauthorized access to sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the exploitation of this vulnerability could lead to exposure of personal or protected health information through credential harvesting or session hijacking, thereby compromising confidentiality and integrity requirements mandated by these regulations.

Therefore, failure to patch this vulnerability could result in non-compliance with common security controls required by GDPR, HIPAA, and similar standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart