CVE-2026-23525 is a stored Cross-Site Scripting (XSS) vulnerability identified in the 1Panel open-source control panel used for Linux server management. The vulnerability arises from improper neutralization of input during web page generation, specifically in the App Store feature where application README files are rendered using the MdEditor component with the previewOnly attribute enabled. This component fails to adequately sanitize HTML content, allowing malicious actors to embed executable JavaScript code within application descriptions. When a user views these malicious application details, the embedded scripts execute in the user's browser context. This can lead to theft of session cookies, unauthorized command execution within the control panel, and potential system compromise. The vulnerability affects all 1Panel versions prior to 1.10.34-lts and 2.0.17, including versions 1.10.33-lts and 2.0.16. The attack vector requires network access, authenticated privileges, and user interaction, with a high attack complexity due to the need to publish or load malicious applications. The vulnerability also impacts system upgrade-related components that use the same MdEditor rendering approach. The issue is mitigated by applying proper XSS sanitization in the MdEditor component, which has been addressed in the patched versions. The CVSS v3.1 base score is 6.4, reflecting medium severity with high confidentiality, integrity, and availability impacts but mitigated by the attack complexity and required privileges. No known exploits have been reported in the wild as of the publication date.

For European organizations using 1Panel for Linux server management, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of critical server infrastructure. Exploitation could allow attackers to hijack user sessions, gain unauthorized access to administrative functions, and execute arbitrary commands, potentially leading to data breaches, service disruption, or lateral movement within networks. Given that 1Panel is used to manage multiple servers, a successful attack could cascade to affect numerous systems. The requirement for authenticated access and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or less stringent access controls. The vulnerability could be leveraged in targeted attacks against organizations with sensitive data or critical infrastructure, including hosting providers, cloud service operators, and enterprises relying on Linux servers. The absence of known exploits currently reduces immediate threat but patching is critical to prevent future exploitation. Failure to address this vulnerability could also lead to regulatory compliance issues under GDPR if personal data is compromised.

European organizations should immediately upgrade 1Panel installations to versions 1.10.34-lts or 2.0.17 or later, where the vulnerability is patched. Until upgrades are applied, restrict access to the 1Panel App Store and limit the ability to publish or install new applications to trusted administrators only. Implement strict input validation and output encoding for any custom integrations or plugins that interact with the MdEditor component. Conduct regular security audits and penetration testing focused on web interface components to detect similar XSS issues. Employ Content Security Policy (CSP) headers to reduce the impact of potential script injection. Monitor user activity logs for unusual behavior indicative of exploitation attempts. Educate administrators on the risks of loading untrusted content within the control panel. Finally, maintain an incident response plan to quickly address any signs of compromise related to this vulnerability.