CVE-2026-23525
Published: 18 January 2026
Summary
CVE-2026-23525 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Fit2Cloud 1Panel. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-23525 is a stored Cross-Site Scripting (XSS) vulnerability in 1Panel, an open-source web-based control panel for Linux server management. The issue affects the App Store component when viewing application details, where malicious scripts can execute in the context of the user's browser due to insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, and similar flaws exist in system upgrade-related components. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are vulnerable, with a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H) and mapped to CWE-79.
An attacker can exploit this vulnerability by publishing a malicious application to the 1Panel App Store, which legitimate users then load either locally or remotely to view details. This requires high privileges (PR:H) and user interaction (UI:R) from a victim with access to the panel, along with high attack complexity. Successful exploitation executes arbitrary scripts in the victim's browser context, potentially leading to theft of user cookies or session data, unauthorized access to sensitive system interfaces or functions, and compromise of the system's confidentiality, integrity, and availability.
The official advisory recommends mitigation by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Patched versions incorporating the fix are available as v1.10.34-lts and v2.0.17. Additional details are provided in the GitHub Security Advisory at https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3193
Vulnerability details
1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising…
more
session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in MdEditor enables arbitrary JavaScript execution (T1059.007) in victim browser; directly facilitates session/cookie theft and hijacking (T1539, T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input (application README content) before it is rendered by the MdEditor component, preventing stored XSS script execution.
Requires filtering of information output by the App Store and upgrade components so that malicious scripts are removed or neutralized before display in the user's browser.
Provides mechanisms to detect and block malicious code (scripts) introduced via the App Store before it can execute in the 1Panel web interface.