CVE-2026-34241: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ctrlpanel-gg panel
CtrlPanel versions 1. 1. 1 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized user input is stored and later rendered without escaping, allowing execution of arbitrary JavaScript in the victim's browser. This affects both admin and user notification paths, enabling attackers to hijack sessions, steal credentials, or perform actions with elevated privileges. The vulnerability has been fixed in version 1. 2. 0.
AI Analysis
Technical Summary
CtrlPanel-gg panel versions prior to 1.2.0 have a stored XSS vulnerability (CWE-79) in the ticket reply notification system. The issue arises because reply content ($newmessage) is stored unsanitized in the database and rendered unescaped using Blade's {!! !!} syntax in notifications sent to admins and users. This allows low-privileged attackers to execute arbitrary JavaScript in the context of victims' sessions, potentially hijacking admin sessions or compromising user accounts. The flaw affects both directions of communication between users and admins. The vulnerability is tracked as CVE-2026-34241 with a CVSS 3.1 score of 8.7 (high severity).
Potential Impact
Successful exploitation allows arbitrary JavaScript execution in the victim’s browser session, leading to session hijacking, credential theft via fake login prompts or keyloggers, and privilege escalation through unauthorized administrative actions. Both admins and users can be targeted depending on the direction of the notification. This can compromise the confidentiality and integrity of user sessions and data within the CtrlPanel environment.
Mitigation Recommendations
This vulnerability has been fixed in CtrlPanel version 1.2.0. Users should upgrade to version 1.2.0 or later to remediate this issue. Since the product is not a cloud service and no official patch link or advisory is provided, upgrading to the fixed version is the recommended action. Patch status is confirmed by the vendor stating the fix is included in version 1.2.0.
CVE-2026-34241: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ctrlpanel-gg panel
Description
CtrlPanel versions 1. 1. 1 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized user input is stored and later rendered without escaping, allowing execution of arbitrary JavaScript in the victim's browser. This affects both admin and user notification paths, enabling attackers to hijack sessions, steal credentials, or perform actions with elevated privileges. The vulnerability has been fixed in version 1. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CtrlPanel-gg panel versions prior to 1.2.0 have a stored XSS vulnerability (CWE-79) in the ticket reply notification system. The issue arises because reply content ($newmessage) is stored unsanitized in the database and rendered unescaped using Blade's {!! !!} syntax in notifications sent to admins and users. This allows low-privileged attackers to execute arbitrary JavaScript in the context of victims' sessions, potentially hijacking admin sessions or compromising user accounts. The flaw affects both directions of communication between users and admins. The vulnerability is tracked as CVE-2026-34241 with a CVSS 3.1 score of 8.7 (high severity).
Potential Impact
Successful exploitation allows arbitrary JavaScript execution in the victim’s browser session, leading to session hijacking, credential theft via fake login prompts or keyloggers, and privilege escalation through unauthorized administrative actions. Both admins and users can be targeted depending on the direction of the notification. This can compromise the confidentiality and integrity of user sessions and data within the CtrlPanel environment.
Mitigation Recommendations
This vulnerability has been fixed in CtrlPanel version 1.2.0. Users should upgrade to version 1.2.0 or later to remediate this issue. Since the product is not a cloud service and no official patch link or advisory is provided, upgrading to the fixed version is the recommended action. Patch status is confirmed by the vendor stating the fix is included in version 1.2.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-26T16:22:29.034Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0cd72dba1db47362f031e8
Added to database: 5/19/2026, 9:33:33 PM
Last enriched: 5/19/2026, 9:48:28 PM
Last updated: 5/19/2026, 11:09:00 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.