Plataforma
php
Componente
xiaopi-panel
Corrigido em
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Xiaopi Panel versions 1.0.0 through 1.0.0. This flaw resides within the /demo.php file of the WAF Firewall component and allows attackers to inject malicious scripts via manipulation of the 'param' argument. Remote exploitation is possible, and a public proof-of-concept exists, increasing the risk of immediate exploitation. A fix is pending.
Successful exploitation of CVE-2026-5332 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the Xiaopi Panel interface. Given the public availability of an exploit, attackers can readily leverage this vulnerability to compromise systems running vulnerable versions of Xiaopi Panel. The potential blast radius extends to any user interacting with the compromised panel, as their actions could be manipulated by the attacker.
CVE-2026-5332 is considered a low-risk vulnerability due to its CVSS score of 3.5. However, the presence of a publicly available proof-of-concept significantly elevates the risk, as it lowers the barrier to entry for attackers. The vulnerability was disclosed on 2026-04-02, and the vendor has not responded. Active exploitation is possible given the public exploit.
Organizations and individuals using Xiaopi Panel version 1.0.0 are at immediate risk. Shared hosting environments are particularly vulnerable, as multiple users may share the same instance of Xiaopi Panel, increasing the potential for widespread compromise. Administrators who haven't implemented robust input validation practices are also at higher risk.
• php / web:
grep -r 'param=.*;' /var/www/xiaopi_panel/demo.php• generic web:
curl -I http://your-xiaopi-panel/demo.php?param=<script>alert(1)</script>• generic web: Check access logs for requests to /demo.php with unusual or suspicious values in the 'param' parameter. • generic web: Monitor for unusual JavaScript execution within the Xiaopi Panel interface.
disclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
Due to the lack of a vendor-provided patch, immediate mitigation strategies are crucial. Implement strict input validation and output encoding on the /demo.php endpoint to sanitize the 'param' argument. A Web Application Firewall (WAF) configured to block XSS payloads targeting this specific endpoint can provide an additional layer of defense. Regularly monitor access logs for suspicious activity, particularly requests containing unusual characters or patterns in the 'param' parameter. Until an official patch is released, these workarounds offer the best available protection.
Atualizar Xiaopi Panel para uma versão posterior a 1.0.0, se existir, ou desabilitar/remover o componente WAF Firewall. Se não houver atualizações disponíveis, considerar a mitigação do risco através da validação e limpeza das entradas do usuário no arquivo /demo.php.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-5332 is a cross-site scripting (XSS) vulnerability affecting Xiaopi Panel versions 1.0.0-1.0.0, allowing attackers to inject malicious scripts via the /demo.php endpoint.
If you are running Xiaopi Panel version 1.0.0, you are potentially affected by this vulnerability. Immediate mitigation steps are recommended.
A vendor patch is currently unavailable. Implement input validation, output encoding, and WAF rules as temporary mitigations.
Due to the public availability of a proof-of-concept, active exploitation is possible and likely.
As of the disclosure date, the vendor has not released an official advisory. Monitor their website and security forums for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.