CVE-2026-34246

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0

Description A Stored Cross-Site Scripting (XSS) issue exists in the admin role management interface. In the datatable() function within app/Http/Controllers/Admin/RoleController.php, the variables role->name and role->color are interpolated into HTML and style attributes without sanitization. Additionally, the .rawColumns(['actions', 'name']) call causes DataTables to render the name column as raw HTML, bypassing output escaping. An administrator with permissions to create or edit roles can inject malicious payloads into the name or color fields. These payloads are stored in the database and execute in the browser of any administrator accessing the '/admin/roles' endpoint. This can lead to session hijacking, credential harvesting, lateral privilege escalation, and the creation of a persistent backdoor.

Recommendations Update to version 1.2.0. As a temporary workaround, restrict access to the '/admin/roles' endpoint or limit role creation and editing permissions to only the most trusted administrators.