The vulnerability is a stored cross‑site scripting flaw located in the AI Scanner dashboard of CyberPanel versions prior to 2.4.4. An unauthenticated attacker can POST arbitrary JavaScript to the /api/ai-scanner/callback endpoint, overwriting the findings_json field of ScanHistory records. The injected script is executed in the context of an administrator’s authenticated session when the admin visits the dashboard, enabling the attacker to issue same‑origin requests that plant cron jobs and ultimately execute code on the server. The primary impact is the ability for an attacker to obtain remote code execution on the affected host.

The affected product is CyberPanel by usmannasir. All releases before version 2.4.4 are vulnerable; the issue was identified in the AI Scanner feature of those builds. No specific patch level is listed beyond the noted 2.4.4 release, which contains the fix.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying it is not a widely exploited or actively targeted flaw. Attackers must send a malicious POST request to an open endpoint that is accessible without authentication and then rely on an administrator visiting the AI Scanner dashboard. While the attack requires a victim to perform an administrative action, the potential for remote code execution makes it a high‑value target for an attacker willing to pursue this vector.