CVE-2026-34241

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0

Description A Stored Cross-Site Scripting (XSS) issue exists in the ticket reply notification system. Unsanitized content from the $newmessage variable is stored in database notification payloads and rendered without escaping in the recipient's browser. This occurs within the AppNotificationsTicketAdminAdminReplyNotification function (affecting admins when a user replies) and the AppNotificationsTicketUserReplyNotification function (affecting users when an admin replies). This allows for arbitrary JavaScript execution, which can lead to session hijacking, credential harvesting through fake login prompts or keyloggers, and privilege escalation.

Recommendations Update to version 1.2.0.