Stored Cross-Site Scripting Vulnerability in CyberPanel by Usman Nasir
CVE-2026-41472

5.3MEDIUM

Key Information:

Vendor: Usmannasir
Status: Cyberpanel
Vendor: CVE Published:; 24 April 2026

Badges

👾 Exploit Exists

What is CVE-2026-41472?

CyberPanel versions prior to 2.4.4 are vulnerable to a stored cross-site scripting (XSS) flaw in the AI Scanner dashboard. This vulnerability arises due to a lack of authentication in the POST /api/ai-scanner/callback endpoint, allowing attackers to exploit the system without needing credentials. By manipulating the findings_json field in ScanHistory records, malicious JavaScript can be injected, compromising the administrator's authenticated session. When the administrator accesses the AI Scanner dashboard, this injected script executes, permitting attackers to make same-origin requests, potentially leading to the planting of cron jobs and enabling remote code execution on the server, jeopardizing the system’s overall integrity and security.

Affected Version(s)

cyberpanel 0 < 2.4.4

cyberpanel 0a099b1b193946555fbdd387a28486b1521f9961

References

https://itsrez.re/post/cyberpanel-rce

technical-descriptionexploit

https://github.com/usmannasir/cyberpanel/commit/0a099b1b1...

patch

https://www.vulncheck.com/advisories/cyberpanel-stored-xs...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 24, 2026
👾
Exploit known to exist
Apr 24, 2026
Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Djibril Mounkoro

CVE-2026-41472 Data

JSON

Usmannasir

Badges

What is CVE-2026-41472?

Affected Version(s)

References

CVSS V4

Timeline

Credit