Medium severity6.1NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-41472

Description

CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.

Affected products

Cyberpanel/Cyberpanel
cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
Range: <2.4.4

Patches

0a099b1b1939

Merge branch 'v2.4.4' of github.com:usmannasir/cyberpanel into v2.4.4

https://github.com/usmannasir/cyberpanelusmannasirDec 18, 2025via nvd-ref

commit

2 files changed · +10 −5

plogical/acl.py+2 −0 modified

@@ -761,6 +761,8 @@ def checkOwnership(domain, admin, currentACL):
             else:
                 if childDomain.master.admin.owner == admin.pk:
                     return 1
+                else:
+                    return 0
 
         except:
             domainName = Websites.objects.get(domain=domain)

websiteFunctions/website.py+8 −5 modified

@@ -2519,11 +2519,12 @@ def fetchChildDomainsMain(self, userID=None, data=None):
             childDomains = []
 
             for web in websites:
-                for child in web.childdomains_set.filter(alais=0):
-                    if child.domain == f'mail.{web.domain}':
-                        pass
-                    else:
-                        childDomains.append(child)
+                for child in web.childdomains_set.all():
+                    if child.alais == 0:
+                        if child.domain == f'mail.{web.domain}':
+                            pass
+                        else:
+                            childDomains.append(child)
 
             pagination = self.getPagination(len(childDomains), recordsToShow)
             json_data = self.findChildsListJson(childDomains[finalPageNumber:endPageNumber])
@@ -2533,6 +2534,8 @@ def fetchChildDomainsMain(self, userID=None, data=None):
             final_json = json.dumps(final_dic)
             return HttpResponse(final_json)
         except BaseException as msg:
+            import traceback
+            logging.CyberCPLogFileWriter.writeToFile(f"fetchChildDomainsMain error for userID {userID}: {str(msg)}\n{traceback.format_exc()}")
             dic = {'status': 1, 'listWebSiteStatus': 0, 'error_message': str(msg)}
             json_data = json.dumps(dic)
             return HttpResponse(json_data)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961nvdPatch
itsrez.re/post/cyberpanel-rcenvdExploitMitigationThird Party Advisory
www.vulncheck.com/advisories/cyberpanel-stored-xss-via-ai-scanner-dashboardnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000