CVE-2026-34241
Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CtrlPanel versions ≤1.1.1 have stored XSS in ticket reply notifications, letting low-privileged users execute arbitrary JS in admin browsers to hijack sessions and escalate privileges.
Vulnerability
CtrlPanel, an open-source billing platform for hosting providers, versions 1.1.1 and prior, contains a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. The flaw exists in App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users). Unsanitized reply content ($newmessage) is stored directly in the database notification payload and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser [2].
Exploitation
A low-privileged attacker must be an authenticated user with access to submit ticket replies. The attacker posts a reply containing a JavaScript payload, such as `` [2]. When an administrator opens their notifications panel, the payload executes immediately in the admin's browser context. The reverse path also works: a malicious or compromised admin can inject a payload via a ticket reply that executes in the target user's notification feed [2].
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's session context. This enables session hijacking (stealing the admin's session cookie), credential harvesting (via fake login prompts or keyloggers), and privilege escalation (performing administrative actions on the victim's behalf) [2]. The reverse path allows an admin to compromise regular users similarly.
Mitigation
The vulnerability is fixed in version 1.2.0, released on 2026-05-19 [1]. Users should upgrade immediately. No workarounds have been published for versions prior to 1.2.0 [2]. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.