Cyber Resilience

CVE-2026-23525

Medium

Published: 18 January 2026

Published
18 January 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-23525 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Fit2Cloud 1Panel. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-23525 is a stored Cross-Site Scripting (XSS) vulnerability in 1Panel, an open-source web-based control panel for Linux server management. The issue affects the App Store component when viewing application details, where malicious scripts can execute in the context of the user's browser due to insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, and similar flaws exist in system upgrade-related components. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are vulnerable, with a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H) and mapped to CWE-79.

An attacker can exploit this vulnerability by publishing a malicious application to the 1Panel App Store, which legitimate users then load either locally or remotely to view details. This requires high privileges (PR:H) and user interaction (UI:R) from a victim with access to the panel, along with high attack complexity. Successful exploitation executes arbitrary scripts in the victim's browser context, potentially leading to theft of user cookies or session data, unauthorized access to sensitive system interfaces or functions, and compromise of the system's confidentiality, integrity, and availability.

The official advisory recommends mitigation by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Patched versions incorporating the fix are available as v1.10.34-lts and v2.0.17. Additional details are provided in the GitHub Security Advisory at https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising…

more

session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in MdEditor enables arbitrary JavaScript execution (T1059.007) in victim browser; directly facilitates session/cookie theft and hijacking (T1539, T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56413Same product: Fit2Cloud 1Panel
CVE-2025-54424Same product: Fit2Cloud 1Panel
CVE-2025-69386Shared CWE-79
CVE-2025-59543Shared CWE-79
CVE-2025-22331Shared CWE-79
CVE-2025-0833Shared CWE-79
CVE-2025-0828Shared CWE-79
CVE-2026-28405Shared CWE-79
CVE-2026-28756Shared CWE-79
CVE-2025-55289Shared CWE-79

Affected Assets

fit2cloud
1panel
≤ 1.10.34 · 2.0.0 — 2.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (application README content) before it is rendered by the MdEditor component, preventing stored XSS script execution.

prevent

Requires filtering of information output by the App Store and upgrade components so that malicious scripts are removed or neutralized before display in the user's browser.

prevent

Provides mechanisms to detect and block malicious code (scripts) introduced via the App Store before it can execute in the 1Panel web interface.

References