CVE-2026-34246 Overview
CVE-2026-34246 is a Stored Cross-Site Scripting (XSS) vulnerability in CtrlPanel, open-source billing software used by hosting providers. The flaw resides in the admin role management interface and affects versions 1.1.1 and prior. An attacker with role creation or edit permissions can inject HTML or JavaScript payloads into role name or color fields. These payloads persist in the database and execute when any administrator loads the /admin/roles page. The issue is tracked under [CWE-80] and was resolved in CtrlPanel version 1.2.0.
Critical Impact
Stored payloads execute in every admin's browser session, enabling cookie theft, credential harvesting, lateral privilege escalation, and a persistent backdoor across the admin panel.
Affected Products
- CtrlPanel versions 1.1.1 and prior
- CtrlPanel admin role management interface (/admin/roles)
- Fixed in CtrlPanel version 1.2.0
Discovery Timeline
- 2026-05-19 - CVE-2026-34246 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34246
Vulnerability Analysis
The vulnerability lives in app/Http/Controllers/Admin/RoleController.php. The datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML body and inline style attribute. No sanitization or output encoding is applied before rendering. The chained .rawColumns(['actions', 'name']) call instructs the DataTables library to treat the name column as raw HTML. This explicitly bypasses the automatic output escaping that DataTables provides by default. Persisted role data becomes an execution vector for any admin who visits the role listing page.
Root Cause
The root cause is missing input sanitization combined with explicit output escaping bypass. CtrlPanel trusts admin-supplied role attributes and writes them unchanged to the database. The frontend then renders those attributes as raw HTML rather than text. This violates the principle of contextual output encoding for user-controlled data, even when the source is a privileged user.
Attack Vector
An admin with permission to create or edit roles submits a payload such as <img src=x onerror="alert('XSS_POC')"> into the role name or color field. The payload is stored in the roles table. Each time another administrator loads /admin/roles, the DataTables component renders the malicious markup and the browser executes the JavaScript. Attackers can use this to steal session cookies, display fake login prompts, install in-page keyloggers, or perform privileged actions on behalf of the victim admin. The injected record acts as a persistent backdoor until the malicious role is deleted.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-wpqj-xwhq-2mmh for additional technical context.
Detection Methods for CVE-2026-34246
Indicators of Compromise
- Role records in the database containing HTML tags such as <img>, <script>, <svg>, or inline event handlers like onerror=, onload=, or onclick= in the name or color columns.
- Outbound HTTP requests from admin browsers to unknown domains shortly after loading /admin/roles.
- Unexpected admin actions, role changes, or privilege grants performed from legitimate admin accounts without corresponding user activity.
Detection Strategies
- Query the roles table for any non-alphanumeric characters in the name field and any value in color that is not a valid hex code or CSS color keyword.
- Review web server access logs for POST and PUT requests to /admin/roles endpoints submitting suspicious payload signatures.
- Inspect rendered HTML returned by /admin/roles for tags or attributes outside the expected <span> styling template.
Monitoring Recommendations
- Enable application-level audit logging for role create, update, and delete operations including the submitted field values.
- Deploy a Content Security Policy (CSP) in report-only mode on admin pages to surface inline script execution attempts.
- Monitor admin session activity for anomalous geolocation, user agent, or API call patterns indicative of session hijacking.
How to Mitigate CVE-2026-34246
Immediate Actions Required
- Upgrade CtrlPanel to version 1.2.0 or later, available at the CtrlPanel 1.2.0 GitHub Release.
- Audit the roles table and remove or sanitize any records containing HTML markup in name or color fields.
- Rotate all admin session cookies and credentials if injected payloads are found, since session theft cannot be ruled out.
Patch Information
The maintainers resolved this issue in CtrlPanel version 1.2.0. Details are published in the GitHub Security Advisory GHSA-wpqj-xwhq-2mmh and the 1.2.0 release notes. Administrators running 1.1.1 or earlier should treat this upgrade as the primary remediation.
Workarounds
- Restrict role creation and edit permissions to a minimal set of trusted administrators until the upgrade is applied.
- Apply a strict Content Security Policy that disallows inline event handlers and inline scripts on /admin/* routes.
- Enforce server-side input validation on role name (alphanumeric and spaces only) and color (hex value pattern) at the reverse proxy or WAF layer.
# Example WAF rule pattern to block HTML injection in role fields
# ModSecurity-style pseudo-rule
SecRule ARGS:name|ARGS:color "@rx <[a-zA-Z/!]|on[a-z]+\s*=" \
"id:1002601,phase:2,deny,status:403,msg:'CVE-2026-34246 HTML injection blocked in role field'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
