CVE-2026-34241: CtrlPanel XSS Allows Admin Session Hijack

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-34241: CtrlPanel XSS Allows Admin Session Hijack

The National Vulnerability Database reports a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-34241, in CtrlPanel, an open-source billing software for hosting providers. This flaw, present in versions 1.1.1 and earlier, impacts the ticket reply notification system. Unsanitized user and admin reply content is directly stored in database notification payloads and rendered unescaped in the recipient’s browser, enabling arbitrary JavaScript execution.

This vulnerability allows a low-privileged attacker to exploit both user-to-admin and admin-to-user notification paths. The primary risk is session hijacking, credential harvesting via fake login prompts or keyloggers, and privilege escalation by performing actions on behalf of the victim. A compromised admin could similarly target regular users. The National Vulnerability Database assigns this a CVSS score of 8.7 (HIGH), highlighting the severity of potential impact on confidentiality and integrity.

CtrlPanel has addressed this issue in version 1.2.0. Defenders must prioritize patching to mitigate the risk of account compromise across their hosting environments. Given the direct impact on both administrative and user accounts, this isn’t a vulnerability to defer.

What This Means For You

  • If your hosting environment relies on CtrlPanel, you need to immediately verify your version. If you are running 1.1.1 or prior, patch to version 1.2.0 without delay. Audit logs for suspicious activity, especially around ticket interactions and administrative sessions, to identify any exploitation attempts before patching.

Related ATT&CK Techniques

T1189 Drive-by Compromise Initial Access T1059.007 JavaScript Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-34241: CtrlPanel Stored XSS in Ticket Reply Notifications

Sigma YAML — free preview 
title: CVE-2026-34241: CtrlPanel Stored XSS in Ticket Reply Notifications
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects the specific Stored Cross-Site Scripting (XSS) vulnerability in CtrlPanel versions 1.1.1 and prior. The rule looks for requests to the ticket reply endpoint containing a common XSS payload, indicating an attempt to inject malicious JavaScript into notification payloads. This can lead to admin session hijacking.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-34241/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/ticket/reply'
      cs-uri-query|contains:
          - '<script>alert(document.domain)</script>'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-34241 XSS CtrlPanel versions 1.1.1 and prior
CVE-2026-34241 XSS Vulnerable component: ticket reply notification system
CVE-2026-34241 XSS Vulnerable function: App\Notifications\Ticket\Admin\AdminReplyNotification
CVE-2026-34241 XSS Vulnerable function: App\Notifications\Ticket\User\ReplyNotification
CVE-2026-34241 XSS Attack vector: unsanitized $newmessage rendered via Blade's {!! !!} syntax

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma