CVE-2026-23525

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23525
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23525.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23525
Aliases
  • GHSA-mg24-6h5c-9q42
Published
2026-01-18T22:10:59.500Z
Modified
2026-01-21T02:48:41.316429Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
1panel App Store vulnerable to Cross-site Scripting
Details

1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the previewOnly attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23525.json"
}
References

Affected packages

Git / github.com/1panel-dev/1panel

Affected ranges

Type
GIT
Repo
https://github.com/1panel-dev/1panel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2c92226f886f87e2e31eb72849360000193e74d0
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.10.34"
        }
    ]
}
Type
GIT
Repo
https://github.com/1panel-dev/1panel
Events
Introduced
8b9337b45a3512c54061a6b1ef4a75ab42af5505
Fixed
2b7562f54688c66b52b1f16c1c5ed9bc2b886b9b
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.17"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.10.0-lts
v1.10.1-lts
v1.10.10-lts
v1.10.12-beta
v1.10.2-lts
v1.10.3-lts
v1.10.34-lts
v1.10.4-lts
v1.10.5-lts
v1.10.7-lts
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23525.json"