CVE-2026-34233

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0

Description Multiple admin controllers expose DataTable endpoints that lack authorization checks. This allows any authenticated user, regardless of their assigned role, to access sensitive administrative data via GET requests. Although these routes use the '/admin/' prefix, the associated middleware fails to enforce admin-level permissions on the datatable() functions. This can lead to the exposure of user personally identifiable information (PII), payment and transaction records, active voucher and coupon codes, role and permission structures, server ownership mappings, and support ticket contents.

Recommendations Update to version 1.2.0.