{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41472", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.312Z", "datePublished": "2026-04-24T20:40:12.276Z", "dateUpdated": "2026-04-27T13:37:16.906Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T20:40:12.276Z"}, "title": "CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard", "datePublic": "2026-01-18T17:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "usmannasir", "product": "cyberpanel", "repo": "https://github.com/usmannasir/cyberpanel", "versions": [{"status": "affected", "version": "0", "lessThan": "2.4.4", "versionType": "semver"}, {"status": "unaffected", "version": "0a099b1b193946555fbdd387a28486b1521f9961", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "CyberPanel versions prior to\u00a02.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "CyberPanel versions prior to&nbsp;2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.<br>"}]}], "references": [{"url": "https://itsrez.re/post/cyberpanel-rce", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/cyberpanel-stored-xss-via-ai-scanner-dashboard", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"}}], "credits": [{"lang": "en", "value": "Djibril Mounkoro", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:37:10.501228Z", "id": "CVE-2026-41472", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:37:16.906Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41472", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:37:10.501228Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:37:13.558Z"}}], "cna": {"title": "CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Djibril Mounkoro"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/usmannasir/cyberpanel", "vendor": "usmannasir", "product": "cyberpanel", "versions": [{"status": "affected", "version": "0", "lessThan": "2.4.4", "versionType": "semver"}, {"status": "unaffected", "version": "0a099b1b193946555fbdd387a28486b1521f9961", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-01-18T17:00:00.000Z", "references": [{"url": "https://itsrez.re/post/cyberpanel-rce", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/cyberpanel-stored-xss-via-ai-scanner-dashboard", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "CyberPanel versions prior to\u00a02.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.", "supportingMedia": [{"type": "text/html", "value": "CyberPanel versions prior to&nbsp;2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T20:40:12.276Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41472", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:37:16.906Z", "dateReserved": "2026-04-20T16:07:47.312Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-24T20:40:12.276Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7FB98A7-0882-4C43-9D46-B23C60D07630", "versionEndExcluding": "2.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CyberPanel versions prior to\u00a02.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server."}], "id": "CVE-2026-41472", "lastModified": "2026-04-28T15:45:19.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-24T21:16:18.967", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://itsrez.re/post/cyberpanel-rce"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/cyberpanel-stored-xss-via-ai-scanner-dashboard"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "0a099b1b193946555fbdd387a28486b1521f9961"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "cyberpanel", "source": "cna", "vendor": "usmannasir"}, "product": "cyberpanel", "vendor": "usmannasir"}], "analysis": {"en": {"generated_at": "2026-04-28T05:45:13.407451+00:00", "value": {"mitigation_remediation": ["Update CyberPanel to version 2.4.4 or later to apply the vendor patch", "Restrict or block access to the /api/ai-scanner/callback endpoint until a patch is applied, using firewall rules or IP\u2011based restrictions", "If delayed patching, disable the AI Scanner feature or remove the endpoint from the installation to eliminate the vulnerable code path"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via XSS in the AI Scanner dashboard"}, "threat_synthesis": {"affected_systems": "The affected product is CyberPanel by usmannasir. All releases before version 2.4.4 are vulnerable; the issue was identified in the AI Scanner feature of those builds. No specific patch level is listed beyond the noted 2.4.4 release, which contains the fix.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw located in the AI Scanner dashboard of CyberPanel versions prior to 2.4.4. An unauthenticated attacker can POST arbitrary JavaScript to the /api/ai-scanner/callback endpoint, overwriting the findings_json field of ScanHistory records. The injected script is executed in the context of an administrator\u2019s authenticated session when the admin visits the dashboard, enabling the attacker to issue same\u2011origin requests that plant cron jobs and ultimately execute code on the server. The primary impact is the ability for an attacker to obtain remote code execution on the affected host.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying it is not a widely exploited or actively targeted flaw. Attackers must send a malicious POST request to an open endpoint that is accessible without authentication and then rely on an administrator visiting the AI Scanner dashboard. While the attack requires a victim to perform an administrative action, the potential for remote code execution makes it a high\u2011value target for an attacker willing to pursue this vector."}}}}, "created": "2026-04-28T05:45:23.304467+00:00", "updated": "2026-04-28T09:17:46.071643+00:00", "vendors": ["usmannasir", "usmannasir$PRODUCT$cyberpanel"]}