CVE-2026-34246
Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in CtrlPanel admin role management allows an admin to inject JavaScript into role names/colors, executing in all admin browsers on the roles page.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in CtrlPanel versions 1.1.1 and prior. In app/Http/Controllers/Admin/RoleController.php, the datatable() method constructs an HTML string by directly interpolating $role->name and $role->color into a ` element without escaping. The chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. This allows an admin with role creation or edit permissions to inject arbitrary JavaScript into the name or color fields, which is persisted to the database and executed when any admin loads the /admin/roles` page [1][2].
Exploitation
An attacker must be authenticated as an admin with permissions to create or edit roles. The attacker navigates to the role creation or edit form, then enters a payload such as ` into the Name field (or a similar payload into the Color field). After saving the role, every admin who visits Admin → Roles (/admin/roles)` will have the payload executed in their browser session [2]. No further user interaction is required beyond loading the page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of all other admins viewing the roles list. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed [2].
Mitigation
The vulnerability is fixed in CtrlPanel version 1.2.0, released on 2025-04-24 [1]. Administrators should upgrade to version 1.2.0 or later. As a workaround, if upgrading is not immediately possible, the advisory suggests disabling the role management interface or restricting role creation/edit permissions to highly trusted users until the upgrade can be applied [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.