CVE-2026-23525 is a stored Cross-Site Scripting (XSS) vulnerability identified in the 1Panel open-source web-based control panel used for Linux server management. The vulnerability arises from improper neutralization of input during web page generation, specifically in the 1Panel App Store's rendering of application README content. The root cause is insufficient sanitization in the MdEditor component when the `previewOnly` attribute is enabled, allowing malicious scripts embedded in application descriptions to execute in the context of the user's browser. This flaw extends to system upgrade-related components with similar rendering issues. An attacker with privileges to publish applications can embed malicious JavaScript payloads that execute when users view application details, potentially leading to session hijacking, unauthorized access to system functions, or other malicious actions compromising confidentiality, integrity, and availability. The vulnerability affects all 1Panel versions prior to v1.10.34-lts and versions from 2.0.0 up to but not including 2.0.17. The CVSS v3.1 score is 6.4, reflecting network attack vector, high attack complexity, required privileges, and user interaction. No known exploits are currently reported in the wild. Remediation involves applying patches that implement proper XSS sanitization in the MdEditor component to ensure safe rendering of user-generated content.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on 1Panel for managing Linux servers that host critical applications or sensitive data. Exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and gain unauthorized access to system functions, potentially leading to data breaches or system manipulation. The compromise of system integrity and availability could disrupt business operations, particularly in sectors such as finance, healthcare, and government where Linux servers are prevalent. Additionally, the ability to execute arbitrary scripts in user browsers increases the risk of lateral attacks within internal networks. Given the medium CVSS score but high potential impact on confidentiality and integrity, organizations that have not updated to patched versions remain at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks, especially as threat actors often target unpatched open-source management tools.

European organizations should immediately upgrade 1Panel installations to versions v1.10.34-lts or v2.0.17 or later, which include patches addressing the XSS vulnerability. Until patches are applied, restrict publishing privileges to trusted administrators only to reduce the risk of malicious application uploads. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the 1Panel interface. Conduct regular audits of applications published in the 1Panel App Store to detect any suspicious or unauthorized content. Employ web application firewalls (WAFs) with XSS detection capabilities to monitor and block malicious payloads targeting the vulnerable components. Educate users on the risks of interacting with untrusted content within the control panel interface. Finally, monitor logs for unusual activity that may indicate exploitation attempts and maintain an incident response plan tailored to web application vulnerabilities.