Share
## https://sploitus.com/exploit?id=6FA4EF49-7246-57C8-ACC6-168343F284D5
# CyberPanel XSS to RCE (CVE-2026-XXXXX)
One-click Remote Code Execution in CyberPanel v2.4.3 via unauthenticated API endpoints.
## Overview
This exploit chains multiple vulnerabilities in CyberPanel's AI Scanner feature:
1. **Unauthenticated Database Injection** โ `/api/ai-scanner/callback` accepts arbitrary data without authentication
2. **Stored XSS** โ Malicious payloads are rendered unsanitized in the admin dashboard
3. **CSRF to RCE** โ XSS hijacks admin session to create a malicious cron job
## Affected Versions
- CyberPanel โค 2.4.3