Unknown · Game Management Panel/Billing System · CVE-2026-33061
**Name of the Vulnerable Software and Affected Versions**
exactyl versions after 025e8dbb0daaa04054276bda814d922cf4af58da through e28edb204e80efab628d1241198ea4f079779cfd
**Description**
The software is a customizable game management panel and billing system. A flaw exists where server-side objects are injected into client-side JavaScript through the 'resources/views/templates/wrapper.blade.php' file. The use of unescaped `json encode()` without secure encoding flags allows string values to escape the JavaScript context and be interpreted as HTML or JavaScript by the browser. If serialized fields contain attacker-controlled content, such as a username, display name, or site configuration value, a malicious payload can execute arbitrary script for any user viewing the page, resulting in stored DOM-based Cross-Site Scripting (XSS).
**Recommendations**
Update to a version after e28edb204e80efab628d1241198ea4f079779cfd.