CVE-2026-34358 is a broken access control issue in CtrlPanel versions 1.1.1 and earlier. According to the NVD record and the linked GitHub advisory/release references, several admin controllers checked permissions on form-display paths but not on the corresponding write operations, allowing authenticated users to bypass RBAC through direct POST/PATCH requests. The issue was fixed in CtrlPanel 1.2.0.
CVE-2026-34246 describes a stored cross-site scripting flaw in CtrlPanel’s admin role management interface. In affected versions, role name and color values are rendered into HTML without sanitization, and DataTables is instructed to treat the name column as raw HTML. That combination lets a user with role creation or edit permissions store malicious content that executes in other admins’ browsers when th [truncated]
CVE-2026-34241 is a stored cross-site scripting vulnerability in CtrlPanel’s ticket reply notification flow. Unsanitized reply content is saved into notification payloads and later rendered unescaped in recipients’ browsers, enabling script execution in the victim’s session context. The issue affects CtrlPanel 1.1.1 and earlier and is fixed in 1.2.0.
CVE-2026-34234 is a critical unauthenticated remote code execution issue in CtrlPanel’s web-based installer. According to the published CVE description and GitHub advisory, affected versions 1.1.1 and earlier can leave installer endpoints reachable on already-installed instances because the install.lock check happens after installer form handlers are included and executed. Those handlers also pass unsanit [truncated]
## Summary **CVE-2026-34233** is a **broken access control** vulnerability in CtrlPanel, an open-source billing platform for hosting providers. In versions 1.1.1 and prior, multiple administrative DataTable endpoints under the `/admin/` route prefix lack authorization checks, allowing any authenticated user—regardless of role—to query sensitive administrative data. The issue was disclosed on 2026-05-19 an [truncated]