11 matches found
CVE-2023-36458
1Panel is an open source Linux server operation and maintenance panel. Affected versions are
CVE-2023-36457
1Panel (open-source Linux server operation/maintenance panel) prior to v1.3.6 is affected by a command injection vulnerability when adding container repositories. An authenticated attacker can craft a malicious payload (as demonstrated by the reported payloads in advisories) to trigger code execu...
CVE-2024-2352
1Panel up to 1.10.1-lts is affected by CVE-2024-2352 via command injection in the function baseApi.UpdateDeviceSwap (file /api/v1/toolbox/device/update/swap). The issue arises from untrusted input in the Path argument (example: 123123123\nopen -a Calculator), which can be exploited remotely. Publ...
CVE-2024-27288
1Panel open source Linux server panel vulnerable before version 1.10.1-lts . If a user intercepts a request with Burp to the secure entry point, they can obtain unauthorized access to the console page (no data returned or modifications in some reports). The issue is fixed in v1.10.1-lts; affected...
CVE-2024-34352
CVE-2024-34352 affects the 1Panel project (open source Linux server O&M panel). Prior to v1.10.3-lts, command injection vulnerabilities allow arbitrary file writes and can lead to remote code execution. The root cause involves inadequate input filtering and an exploit path using the mirror config...
CVE-2023-37477
1Panel exposes an OS command injection in its firewall IP endpoint (/hosts/firewall/ip). The vulnerability allows an authenticated attacker to craft input that leads to arbitrary command execution, potentially full system compromise. The issue stems from lack of input validation in the firewall f...
CVE-2024-30257
CVE-2024-30257 affects 1Panel, an open-source Linux server operations and maintenance panel. The vulnerability arises from password verification using a != comparison instead of the secure hmac.Equal , creating a timing side-channel that could facilitate password guessing. Multiple sources corrob...
CVE-2025-54424
1Panel (Go to Mode C): The CVE-2025-54424 vulnerability affects 1Panel versions 2.0.5 and earlier, where TLS certificate verification between Core and Agent endpoints is incomplete, allowing an attacker to bypass client cert validation and access high-privilege interfaces. This leads to remote co...
CVE-2025-66507
CVE-2025-66507 (1Panel) : 1Panel is affected; versions 2.0.13 and earlier expose a CAPTCHA bypass via a client-controlled parameter that the server trusted without validation. This allows an unauthenticated attacker to bypass CAPTCHA verification, enabling automated login attempts and increasing ...
CVE-2026-23525
CVE-2026-23525 affects 1Panel, a web-based Linux server management panel. The stored XSS vulnerability originates from insufficient sanitization in the MdEditor component (previewOnly) used to render App Store and related content, allowing malicious scripts to run in the user’s browser and potent...
CVE-2025-66508
1Panel (GitHub/Governance: 1Panel) contains a vulnerability where Gin’s default proxy trust config (TrustedProxies = 0.0.0.0/0) causes X-Forwarded-For headers to be trusted, letting attackers bypass IP-based access controls (AllowIPs, API whitelists, localhost checks) by sending X-Forwarded-For: ...