CVE-2026-23525

Name of the Vulnerable Software and Affected Versions 1Panel versions through 1.10.33-lts 1Panel versions through 2.0.16

Description 1Panel is a web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) issue exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the previewOnly attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering. Similar issues exist in system upgrade-related components. An attacker could publish a malicious application that, when loaded by users, can execute arbitrary scripts.

Recommendations Update to version 1.10.34-lts or later. Update to version 2.0.17 or later. Implement proper XSS protection and sanitization when rendering content in the MdEditor component.