CVE-2025-34430
MEDIUM1Panel 1.10.33-2.0.15 - Cross-Site Request Forgery in Panel Name Management
Title source: llmDescription
1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent.
References (3)
Core 3
Core References
Product, Release Notes product
https://github.com/1Panel-dev/1Panel/releases
Product product
https://1panel.pro/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/1panel-csrf-panel-name-modification
Scores
CVSS v3
4.3
EPSS
0.0017
EPSS Percentile
6.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
1Panel-dev/1Panel
1.10.33Go
fit2cloud/1panel
1.10.33-lts - 2.0.15
Published
Dec 10, 2025
Tracked Since
Feb 18, 2026