1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Xiaopi Panel versions 1.0.0 through 1.0.0. This flaw resides within the /demo.php file of the WAF Firewall component and allows attackers to inject malicious scripts via manipulation of the 'param' argument. Remote exploitation is possible, and a public proof-of-concept exists, increasing the risk of immediate exploitation. A fix is pending.
Successful exploitation of CVE-2026-5332 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the Xiaopi Panel interface. Given the public availability of an exploit, attackers can readily leverage this vulnerability to compromise systems running vulnerable versions of Xiaopi Panel. The potential blast radius extends to any user interacting with the compromised panel, as their actions could be manipulated by the attacker.
CVE-2026-5332 is considered a low-risk vulnerability due to its CVSS score of 3.5. However, the presence of a publicly available proof-of-concept significantly elevates the risk, as it lowers the barrier to entry for attackers. The vulnerability was disclosed on 2026-04-02, and the vendor has not responded. Active exploitation is possible given the public exploit.
Organizations and individuals using Xiaopi Panel version 1.0.0 are at immediate risk. Shared hosting environments are particularly vulnerable, as multiple users may share the same instance of Xiaopi Panel, increasing the potential for widespread compromise. Administrators who haven't implemented robust input validation practices are also at higher risk.
• php / web:
grep -r 'param=.*;' /var/www/xiaopi_panel/demo.php• generic web:
curl -I http://your-xiaopi-panel/demo.php?param=<script>alert(1)</script>• generic web: Check access logs for requests to /demo.php with unusual or suspicious values in the 'param' parameter. • generic web: Monitor for unusual JavaScript execution within the Xiaopi Panel interface.
disclosure
漏洞利用状态
EPSS
0.03% (7% 百分位)
CISA SSVC
CVSS 向量
Due to the lack of a vendor-provided patch, immediate mitigation strategies are crucial. Implement strict input validation and output encoding on the /demo.php endpoint to sanitize the 'param' argument. A Web Application Firewall (WAF) configured to block XSS payloads targeting this specific endpoint can provide an additional layer of defense. Regularly monitor access logs for suspicious activity, particularly requests containing unusual characters or patterns in the 'param' parameter. Until an official patch is released, these workarounds offer the best available protection.
将 Xiaopi Panel 更新到 1.0.0 之后的版本,如果存在的话,或者禁用/删除 WAF Firewall 组件。如果没有任何更新可用,请考虑通过验证和清理 /demo.php 文件中的用户输入来缓解风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-5332 is a cross-site scripting (XSS) vulnerability affecting Xiaopi Panel versions 1.0.0-1.0.0, allowing attackers to inject malicious scripts via the /demo.php endpoint.
If you are running Xiaopi Panel version 1.0.0, you are potentially affected by this vulnerability. Immediate mitigation steps are recommended.
A vendor patch is currently unavailable. Implement input validation, output encoding, and WAF rules as temporary mitigations.
Due to the public availability of a proof-of-concept, active exploitation is possible and likely.
As of the disclosure date, the vendor has not released an official advisory. Monitor their website and security forums for updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。