CVE-2022-26332
Description
Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cipi 3.1.15 stores unsanitized user input in the Add Server name field, enabling authenticated stored XSS.
Vulnerability
Cipi 3.1.15 contains a stored cross-site scripting (XSS) vulnerability in the /api/servers endpoint. The name parameter in the Add Server function is not sanitized before being stored and later rendered. Affected version is Cipi 3.1.15; later versions (4.5.0, etc.) are not affected, as the project was renamed and rearchitected [1][2][4].
Exploitation
An authenticated attacker with access to the server management panel sends a crafted POST request to /api/servers with a malicious payload in the name field, such as ">. No special privileges beyond a valid API token are required. The payload is stored and executed when any user views the server list or detail page [4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, credential theft, or further actions within the Cipi panel. The attack is limited to authenticated users of the panel [4].
Mitigation
The vulnerability exists in Cipi 3.1.15, which is an obsolete version of the project. The project has been renamed to "cipi-sh/cipi" and released version 4.5.0, which includes numerous security and stability fixes [1][2]. Users should upgrade to the latest version (4.5.0 or later) to remediate the XSS issue. No workaround is available for the outdated 3.1.15 release [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
andreapollastri/cipiPackagist | <= 3.1.15 | — |
Affected products
3- Cipi/Cipidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the `/api/servers` name field before it is stored and later rendered as a web page, leading to stored cross-site scripting (XSS)."
Attack vector
An attacker with access to the Cipi panel API sends a POST request to `/api/servers` with a malicious payload in the `name` field, such as `
Affected code
The vulnerability exists in the Cipi REST API endpoint `/api/servers`. The `name` field in the Add Server request is not sanitized before being stored and later rendered in the panel's web interface, allowing stored XSS. The advisory does not specify the exact file or function responsible for handling this input.
What the fix does
The CVE description and the supplied reference write-ups do not include a patch or remediation guidance specific to this XSS vulnerability. The release notes in [ref_id=1] describe fixes for other issues (e.g., silent 500 errors, database locking, memory drift) but do not mention any input sanitization or output encoding changes for the `/api/servers` name field. No fix is published in the provided materials.
Preconditions
- networkAttacker must have network access to the Cipi panel API endpoint
- inputAttacker must be able to send a POST request to /api/servers
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-vpmw-77vm-4mjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26332ghsaADVISORY
- www.exploit-db.com/exploits/50788ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.