CVE-2025-34430
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
CSRF vulnerability in 1Panel versions 1.10.33 through 2.0.15 in the panel name management functionality. Lack of CSRF defenses (tokens, Origin/Referer validation) allows an attacker to change the victim's panel name without consent via a crafted webpage.
Risk Assessment
An attacker can change the administrator's panel name to an arbitrary value, potentially leading to confusion, loss of trust, or further social engineering attacks.
Recommendation
Immediately update 1Panel to version 2.0.16 or later, which includes the CSRF fix. As a temporary mitigation, implement additional Origin/Referer header validation at the proxy level.
Original NVD description (English source)
1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent.

