Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23525

CVE-2026-23525: 1Panel App Store XSS Vulnerability

CVE-2026-23525 is a stored Cross-Site Scripting flaw in 1Panel App Store that enables attackers to execute malicious scripts in users' browsers. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-23525 Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in 1Panel, an open-source, web-based control panel for Linux server management. The vulnerability exists in the 1Panel App Store when viewing application details, allowing malicious scripts to execute in the context of the user's browser. This could potentially compromise session data or sensitive system interfaces, leading to significant security implications for administrators managing Linux servers through this platform.

Critical Impact

Attackers can publish malicious applications that execute arbitrary scripts when loaded by users, potentially resulting in theft of user cookies, unauthorized access to system functions, or other actions compromising the confidentiality, integrity, and availability of the system.

Affected Products

  • 1Panel versions up to and including v1.10.33-lts
  • 1Panel versions up to and including v2.0.16
  • All 1Panel installations with App Store functionality enabled

Discovery Timeline

  • 2026-01-18 - CVE-2026-23525 published to NVD
  • 2026-01-18 - Last updated in NVD database

Technical Details for CVE-2026-23525

Vulnerability Analysis

This stored XSS vulnerability stems from insufficient input sanitization in the MdEditor component when the previewOnly attribute is enabled. The App Store renders application README content without proper XSS protection, allowing script execution during content rendering. Similar issues exist in system upgrade-related components that also utilize the MdEditor for content display.

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a fundamental web security issue where user-supplied data is rendered without appropriate encoding or sanitization. In this case, the README content from applications can contain malicious JavaScript payloads that execute when administrators browse the App Store.

Root Cause

The root cause lies in insufficient sanitization of content rendered by the MdEditor component with the previewOnly attribute enabled. The component fails to properly sanitize or escape potentially dangerous HTML and JavaScript content before rendering it in the browser. This architectural oversight allows attacker-controlled content from application README files to be executed as trusted code within the administrative interface.

Attack Vector

An attacker can exploit this vulnerability by publishing a malicious application to the 1Panel App Store containing crafted JavaScript code embedded within the application's README content. When legitimate users browse the App Store and view the malicious application details, the embedded scripts execute within their browser session with full access to the administrative interface.

The attack requires network access and relies on user interaction (viewing the malicious application), but can be executed by any authenticated user with the ability to publish applications. The scripts can perform actions including cookie theft, session hijacking, administrative action execution, and data exfiltration—all within the context of the victim's authenticated session.

Detection Methods for CVE-2026-23525

Indicators of Compromise

  • Unexpected JavaScript code or <script> tags present in application README content within the App Store
  • Unusual outbound network connections originating from browser sessions accessing the 1Panel interface
  • Session cookie access attempts or modifications logged during App Store browsing activities
  • Reports of suspicious application listings with obfuscated or encoded content in their descriptions

Detection Strategies

  • Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
  • Monitor browser console logs for JavaScript errors or blocked inline script attempts
  • Review application submissions for suspicious HTML or JavaScript content before publication
  • Deploy web application firewall (WAF) rules to detect common XSS payload patterns in application metadata

Monitoring Recommendations

  • Enable verbose logging for the 1Panel App Store component to track content rendering activities
  • Configure alerting for failed CSP violations which may indicate XSS exploitation attempts
  • Periodically audit published applications for potentially malicious README content
  • Monitor user session activities for anomalous behavior following App Store interactions

How to Mitigate CVE-2026-23525

Immediate Actions Required

  • Upgrade 1Panel to patched versions: v1.10.34-lts or v2.0.17 immediately
  • Review recently published applications in your App Store for suspicious content
  • Invalidate and regenerate session tokens for all administrative users as a precaution
  • Implement Content Security Policy headers to provide defense-in-depth against XSS attacks

Patch Information

The vulnerability has been addressed in 1Panel versions v1.10.34-lts and v2.0.17. The fix implements proper XSS protection and sanitization when rendering content in the MdEditor component. Organizations should upgrade to these patched versions immediately. For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • Restrict access to the App Store functionality until patching is complete
  • Implement a strict Content Security Policy that blocks inline script execution
  • Manually review and sanitize README content for all applications before deployment
  • Consider disabling remote application installation features temporarily
bash
# Example: Add Content Security Policy headers to your web server
# For Nginx configuration, add to server block:
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;

# For Apache, add to .htaccess or virtual host:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.