CVE-2026-34241 Ctrlpanel-gg CVE debrief

Who should care

CtrlPanel operators, hosting providers, and anyone managing ticket workflows should pay attention. Admin accounts are especially at risk because a low-privileged user can target administrators, and the reverse path also allows a compromised admin to target end users.

Technical summary

According to the advisory, the ticket reply content field ($newmessage) is stored directly and later output with Blade’s unescaped {!! !!} rendering in both App\Notifications\Ticket\Admin\AdminReplyNotification and App\Notifications\Ticket\User\ReplyNotification. This creates stored XSS in the notification UI, allowing arbitrary JavaScript to run when the notification is viewed. The NVD entry lists CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N and a CWE-79 classification.

Defensive priority

High. This is internet-reachable, requires only low privileges plus a user view action, and can lead to session compromise and unauthorized administrative actions. Prioritize patching and notification rendering review.

Recommended defensive actions

• Upgrade CtrlPanel to version 1.2.0 or later.
• Review ticket notification templates for any remaining unescaped output of user-controlled content.
• Verify that reply content is HTML-escaped before storage or rendering, especially in notification payloads.
• Audit admin and user ticket notification paths for similar stored XSS patterns.
• Treat existing sessions as potentially exposed if the vulnerable version was in use and investigate suspicious account actions.

Evidence notes

The CVE record and NVD detail identify the issue as CVE-2026-34241. The GitHub security advisory and CtrlPanel 1.2.0 release are the provided source references indicating the fix. The supplied description states the vulnerability affects 1.1.1 and earlier and is corrected in 1.2.0. NVD metadata also lists CWE-79 and the CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.

Official resources