CVE-2026-34241 Overview
CtrlPanel is open-source billing software used by hosting providers to manage customers, servers, and support tickets. CVE-2026-34241 is a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system affecting versions 1.1.1 and prior. Unsanitized ticket reply content is persisted in database notification payloads and later rendered unescaped in the recipient's browser. A low-privileged user can inject arbitrary JavaScript that executes in an administrator's session when the admin views the notification. The flaw is also exploitable in the reverse direction, allowing a malicious admin to target regular users. The issue is fixed in version 1.2.0.
Critical Impact
A low-privileged attacker can execute JavaScript in an admin's session, hijack the session, harvest credentials, and perform privileged actions on the victim's behalf.
Affected Products
- CtrlPanel (Ctrlpanel-gg/panel) versions 1.1.1 and prior
- App\Notifications\Ticket\Admin\AdminReplyNotification component
- App\Notifications\Ticket\User\ReplyNotification component
Discovery Timeline
- 2026-05-19 - CVE-2026-34241 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34241
Vulnerability Analysis
The vulnerability is a Stored Cross-Site Scripting flaw [CWE-79] in the ticket reply notification path. When a user submits a ticket reply, the $newmessage value is captured and persisted directly into the notification payload stored in the database. The recipient's notifications view renders this payload using Blade's raw output directive {!! !!}, which bypasses HTML escaping. As a result, any HTML or JavaScript embedded in a reply executes in the browser of the recipient when they view the notification.
Two notification classes implement this unsafe pattern. AdminReplyNotification is triggered when a regular user replies to a ticket and is delivered to administrators. ReplyNotification is triggered when an administrator replies and is delivered to the ticket owner. Both branches share the same unescaped rendering behavior.
Root Cause
The root cause is missing output encoding combined with the use of Blade's raw rendering syntax. User-controlled reply content is trusted as safe HTML at render time rather than treated as untrusted input. Sanitization is not applied at write time, and escaping is explicitly disabled at read time, removing both layers of defense against script injection.
Attack Vector
Exploitation requires an authenticated low-privileged account and user interaction by the recipient. The attacker opens or replies to a support ticket and includes a JavaScript payload such as a script tag or an event handler attribute within the reply body. The payload is stored verbatim and dispatched as a notification to administrators. When an administrator opens the notification list, the script executes in the administrator's authenticated session, enabling session cookie theft, fake login overlays, keylogging, and forged administrative requests. The same flow applies in reverse from a compromised admin account to a targeted user.
No verified public exploit code is currently available for this issue. Refer to the GitHub Security Advisory GHSA-cmrr-q3hw-3vqh for vendor technical details.
Detection Methods for CVE-2026-34241
Indicators of Compromise
- Ticket reply records containing <script>, onerror=, onload=, or javascript: substrings in the message body.
- Notification payload rows in the database with raw HTML tags in fields rendered by AdminReplyNotification or ReplyNotification.
- Unexpected outbound requests from admin browsers to attacker-controlled hosts immediately after viewing the notifications panel.
- New or modified admin accounts, password changes, or privilege grants shortly after a low-privileged user submits a ticket reply.
Detection Strategies
- Inspect the notifications table and ticket reply storage for HTML or JavaScript syntax in user-supplied fields.
- Review web server access logs for admin sessions issuing unusual POST requests immediately after loading the notifications view.
- Audit Blade templates referencing {!! !!} against user-controlled notification fields to identify the unsafe rendering site.
Monitoring Recommendations
- Alert on creation of administrative users or role changes correlated with recent ticket reply activity from non-privileged accounts.
- Monitor browser-side Content Security Policy (CSP) violation reports for inline script execution on CtrlPanel admin routes.
- Track repeated ticket replies from a single low-privileged account that contain encoded HTML entities or unusual special-character density.
How to Mitigate CVE-2026-34241
Immediate Actions Required
- Upgrade CtrlPanel to version 1.2.0 or later, which contains the official fix.
- Rotate administrator session cookies, API tokens, and passwords if the panel has been exposed to untrusted users prior to patching.
- Review recent ticket replies and notifications for injected HTML or JavaScript and purge affected rows.
- Audit administrative actions performed since the vulnerable version was deployed to identify unauthorized changes.
Patch Information
The maintainers released the fix in CtrlPanel version 1.2.0. The patched release sanitizes notification content and removes unsafe raw Blade rendering of user-supplied reply text. Release notes are available at the GitHub Release v1.2.0 page, and the coordinated disclosure details are in the GitHub Security Advisory GHSA-cmrr-q3hw-3vqh.
Workarounds
- Restrict ticket submission to vetted accounts until the upgrade to 1.2.0 is complete.
- Apply a Content Security Policy that disallows inline scripts on administrative routes to limit payload execution.
- Manually patch the affected Blade templates to replace {!! $message !!} with the escaped {{ $message }} directive as an interim fix, then redeploy.
# Upgrade CtrlPanel to the patched release
git fetch --tags
git checkout 1.2.0
composer install --no-dev --optimize-autoloader
php artisan migrate --force
php artisan config:cache
php artisan view:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
