VYPR

Go modules package

github.com/1panel-dev/1panel

pkg:golang/github.com/1panel-dev/1panel

Vulnerabilities (17)

  • CVE-2025-34429Dec 10, 2025
    affected >= 1.10.33, <= 2.0.15

    1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage th

  • CVE-2025-34430Dec 10, 2025
    affected >= 1.10.33, <= 2.0.15

    1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malic

  • CVE-2025-34410Dec 10, 2025
    affected >= 1.10.33, <= 2.0.15

    1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validat

  • CVE-2025-66508Dec 9, 2025
    affected < 2.0.14fixed 2.0.14

    1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-ba

  • CVE-2025-66507Dec 9, 2025
    affected < 2.0.14fixed 2.0.14

    1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper val

  • CVE-2024-39907Jul 18, 2024
    affected < 1.10.12-tlsfixed 1.10.12-tls

    1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Use

  • CVE-2024-34352May 9, 2024
    affected < 1.10.3-ltsfixed 1.10.3-lts

    1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configur

  • CVE-2024-30257Apr 18, 2024
    affected < 1.10.3fixed 1.10.3

    1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts.

  • CVE-2024-2352Mar 10, 2024
    affected < 1.10.1-ltsfixed 1.10.1-lts

    A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Ca

  • CVE-2024-27288Mar 6, 2024
    affected < 1.10.1-ltsfixed 1.10.1-lts

    1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are no known workarounds.

  • CVE-2024-24768Feb 5, 2024
    affected < 1.9.6fixed 1.9.6

    1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6.

  • CVE-2023-39966Aug 10, 2023
    affected >= 1.4.3, < 1.5.0fixed 1.5.0

    1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data s

  • CVE-2023-39965Aug 10, 2023
    affected >= 1.4.3, < 1.5.0fixed 1.5.0

    1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target syst

  • CVE-2023-39964Aug 10, 2023
    affected >= 1.4.3, < 1.5.0fixed 1.5.0

    1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the `api/v1/file.go` file, there is a function called `LoadFromFile`, which

  • CVE-2023-37477Jul 18, 2023
    affected < 1.4.3fixed 1.4.3

    1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP re

  • CVE-2023-36457Jul 5, 2023
    affected < 1.3.6fixed 1.3.6

    1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6.

  • CVE-2023-36458Jul 5, 2023
    affected < 1.3.6fixed 1.3.6

    1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payloads to achieve command injection when entering the container terminal. The vulnerability has been fixed in v1.3.6.