CVE-2026-41472 MEDIUM

CVE-2026-41472: CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard

Vendor Usmannasir
Product cyberpanel
Weakness CWE-79 · XSS
Published April 24, 2026
Last update April 27, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-1380 Stored Cross Site Scripting vulnerability in Item name parameter in snipe/snipe-it CVE-2025-0602 Stored Cross-site Scripting (XSS) vulnerability affecting Compare in Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x CVE-2022-3484 WPB Show Core - Reflected Cross-Site Scripting CVE-2025-6997 ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function CVE-2024-10289 Cross-Site Scripting (XSS) vulnerability in LocalServer