CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication. This allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.
With a CVSS score of 5.3, the severity is classified as medium. This vulnerability poses a significant risk as it allows attackers to execute code in the context of an authenticated user. Therefore, organizations using affected versions should prioritize remediation efforts.
Risk to organizations includes potential unauthorized access to sensitive data and system manipulation. The vulnerability can be exploited through a network, requiring low complexity for an attacker to execute the exploit. Organizations should address this issue in their priority patch cycle.
As of now, no known exploits or public proof of concepts exist for this vulnerability. However, the lack of exploitability does not diminish the urgency for organizations to implement necessary updates.
Organizations should prioritize patching immediately to safeguard against potential attacks that could leverage this vulnerability.
Vulnerability Details
The vulnerability is classified under CWE-79, indicating a cross-site scripting issue. The specific attack vector is network-based, and the attack complexity is low, with no privileges required for exploitation, although user interaction is necessary.
The vulnerability was published on April 24, 2026, and affects CyberPanel versions prior to 2.4.4. The high impact on confidentiality and integrity signifies that an attacker could execute arbitrary code within the context of an administrator's session.
Technical Analysis
The root cause of this vulnerability lies in the lack of authentication checks for the AI Scanner dashboard's API endpoint. This oversight allows attackers to submit crafted requests to modify the content of ScanHistory records, facilitating the injection of malicious JavaScript.
The attack can occur remotely, and since it requires user interaction, an administrator's session is vulnerable when they access the compromised dashboard. The impact on confidentiality and integrity is critically high, as attackers can leverage the injected script to execute arbitrary commands on the server.
Risk & Impact Analysis
Real-world deployment risk includes potential unauthorized access and control over the server environment. The blast radius could extend to any organization utilizing vulnerable versions of CyberPanel, leading to critical operational disruptions and data breaches.
Given the CVSS score of 5.3, organizations should schedule remediation as a priority, especially if they use CyberPanel for critical applications. Addressing this vulnerability should also form part of a broader security strategy to mitigate similar risks.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions prior to vendor patch 2.4.4 are affected by this vulnerability. Organizations using older versions of CyberPanel should immediately update to the latest version to mitigate this risk.
Mitigation & Remediation
Organizations should prioritize patching immediately by updating to CyberPanel version 2.4.4 or later. If a patch is not available, consider implementing configuration hardening measures such as disabling the affected endpoint or restricting access to trusted IPs.
For continuous monitoring and assessment, organizations can utilize continuous penetration testing to identify similar vulnerabilities in their environment.
Detection Guidance
To detect potential exploitation, organizations should monitor for unexpected changes in the ScanHistory records of the AI Scanner dashboard. Additionally, review logs for unusual API requests to the /api/ai-scanner/callback endpoint, as well as any anomalies in user sessions.
AppSecure Threat Intelligence Insight
The stored cross-site scripting vulnerability in CyberPanel highlights the importance of implementing proper authentication checks in web applications. This incident serves as a reminder for security teams to regularly assess their applications for similar vulnerabilities.
Organizations should also review their vulnerability management program to ensure they are prepared to address emerging threats effectively.
Adopting best practices in secure coding and regular security assessments can significantly reduce the risk of vulnerabilities like this one. Organizations should also invest in penetration testing to uncover potential vulnerabilities before they can be exploited.
Finally, organizations should stay informed about the latest security trends and threats to maintain a robust security posture. Regular updates and training for development and security teams are essential for mitigating risks effectively.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)