Cross-Site Request Forgery Vulnerability in 1Panel by 1Panel Dev
CVE-2025-34430

5.1MEDIUM

Key Information:

Vendor

Lxware

Status
1panel
Vendor
CVE Published:
10 December 2025

What is CVE-2025-34430?

1Panel versions from 1.10.33 to 2.0.15 have a significant vulnerability in their panel name management feature, which is susceptible to cross-site request forgery (CSRF). The affected functionality lacks essential CSRF protections, such as anti-CSRF tokens or adequate Origin/Referer header checks. This deficiency allows attackers to craft malicious web pages that can manipulate the panel name without the user's consent, provided that the victim is authenticated and unwittingly visits the malicious site. This poses serious risks, enabling unauthorized changes to user configurations under certain conditions.

Affected Version(s)

1Panel 1.10.33 <= 2.0.15

References

https://github.com/1Panel-dev/1Panel/releases
product
https://1panel.pro/
product
https://www.vulncheck.com/advisories/1panel-csrf-panel-na...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

av01t3x
JSON
.