CVE-2026-23525
Published: 18 January 2026
Summary
CVE-2026-23525 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Fit2Cloud 1Panel. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in MdEditor enables arbitrary JavaScript execution (T1059.007) in victim browser; directly facilitates session/cookie theft and hijacking (T1539, T1185).
NVD Description
1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising…
more
session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17.
Deeper analysisAI
CVE-2026-23525 is a stored Cross-Site Scripting (XSS) vulnerability in 1Panel, an open-source web-based control panel for Linux server management. The issue affects the App Store component when viewing application details, where malicious scripts can execute in the context of the user's browser due to insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, and similar flaws exist in system upgrade-related components. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are vulnerable, with a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H) and mapped to CWE-79.
An attacker can exploit this vulnerability by publishing a malicious application to the 1Panel App Store, which legitimate users then load either locally or remotely to view details. This requires high privileges (PR:H) and user interaction (UI:R) from a victim with access to the panel, along with high attack complexity. Successful exploitation executes arbitrary scripts in the victim's browser context, potentially leading to theft of user cookies or session data, unauthorized access to sensitive system interfaces or functions, and compromise of the system's confidentiality, integrity, and availability.
The official advisory recommends mitigation by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Patched versions incorporating the fix are available as v1.10.34-lts and v2.0.17. Additional details are provided in the GitHub Security Advisory at https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42.
Details
- CWE(s)