CVE-2025-34430

MEDIUM

Fit2cloud 1panel < 2.0.15 - CSRF

Title source: rule

Description

1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent.

References (3)

[Product] https://1panel.pro/

[Product, Release Notes] https://github.com/1Panel-dev/1Panel/releases

[Third Party Advisory] https://www.vulncheck.com/advisories/1panel-csrf-panel-name-modification

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-352

Status published

Affected Products (2)

fit2cloud/1panel < 2.0.15

1Panel-dev/1Panel Go

Timeline

Published Dec 10, 2025

Tracked Since Feb 18, 2026