Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.
Published: 2026-05-19
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting flaw where role names and colors are output raw in a data table without sanitization. This is an example of CWE‑116 (Improper Encoding for Output) and CWE‑80 (Cross‑Site Scripting). An administrator with ability to create or edit roles can store crafted HTML or JavaScript in these fields, which the browser will subsequently execute when any admin visits the /admin/roles page. This capability enables an attacker to hijack admin sessions, steal credentials, or perform actions on behalf of victims through the vulnerable page. The flaw is present in CtrlPanel versions 1.1.1 and earlier. The impacted product, a billing platform used by hosting providers, allows role management via a DataTables interface that renders the name column as raw HTML. The issue was patched in release 1.2.0. Although the CVSS score is moderate at 4.8 and no EPSS data is available, the risk is limited to accounts that have authority to create or edit roles. An attacker needs an existing privileged account to inject the payload, and the compromise requires an admin to load the vulnerable page, making widespread exploitation unlikely. Nevertheless, the flaw permits serious privilege escalation within an organization.

Affected Systems

CtrlPanel billing software by Ctrlpanel‑gg, specifically the panel component. Versions 1.1.1 and earlier are vulnerable, while the issue was resolved in release 1.2.0.

Risk and Exploitability

CVSS score of 4.8 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector requires an administrator with role‑creation or editing rights to inject a payload; the malicious code is stored and executed whenever an admin loads the /admin/roles page. Because the exploitation depends on privileged access and a specific page view, the overall risk is moderate but organizations should patch promptly.

Generated by OpenCVE AI on May 19, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CtrlPanel version 1.2.0 to eliminate the stored XSS flaw.
  • Audit the database for any role entries containing unsanitized names or colors and remove or sanitize them.
  • Restrict role creation and editing privileges to trusted administrators until the update is fully deployed.

Generated by OpenCVE AI on May 19, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctrlpanel-gg
Ctrlpanel-gg panel
Vendors & Products Ctrlpanel-gg
Ctrlpanel-gg panel

Tue, 19 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.
Title CtrlPanel: Stored XSS in Admin Role Management via Unescaped DataTable HTML Output
Weaknesses CWE-116
CWE-80
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ctrlpanel-gg Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T17:21:20.034Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34246

cve-icon Vulnrichment

Updated: 2026-05-20T17:20:44.318Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T22:16:37.460

Modified: 2026-05-20T18:16:26.987

Link: CVE-2026-34246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:55Z

Weaknesses