These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-34358 is a broken access control issue in CtrlPanel versions 1.1.1 and earlier. According to the NVD record and the linked GitHub advisory/release references, several admin controllers checked permissions on form-display paths but not on the corresponding write operations, allowing authenticated users to bypass RBAC through direct POST/PATCH requests. The issue was fixed in CtrlPanel 1.2.0.
CVE-2026-34246 describes a stored cross-site scripting flaw in CtrlPanel’s admin role management interface. In affected versions, role name and color values are rendered into HTML without sanitization, and DataTables is instructed to treat the name column as raw HTML. That combination lets a user with role creation or edit permissions store malicious content that executes in other admins’ browsers when th [truncated]
CVE-2026-34241 is a stored cross-site scripting vulnerability in CtrlPanel’s ticket reply notification flow. Unsanitized reply content is saved into notification payloads and later rendered unescaped in recipients’ browsers, enabling script execution in the victim’s session context. The issue affects CtrlPanel 1.1.1 and earlier and is fixed in 1.2.0.