CVE-2025-34410 — Vulnetix

CVE-2025-34410 PUBLISHED CVSS 7 HIGH

1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality

EPSS 0.04% · 12.9th percentile

Risk Scores

CVSS v4.0

7

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.04%

12.9th percentile

Affected Products

Vendor	Product	Versions
fit2cloud	1panel	1.10.33, 1.10.33-lts
LXware	1Panel	1.10.33
github.com	1Panel-dev/1Panel	1.10.33

Timeline

Dec 10, 2025 CVE Published
Dec 11, 2025 EPSS Score
Dec 15, 2025 EPSS Score
Dec 19, 2025 EPSS Score
Dec 23, 2025 CVE Updated
Dec 23, 2025 EPSS Score
Dec 27, 2025 EPSS Score
Jan 1, 2026 EPSS Score
Jan 5, 2026 EPSS Score
Jan 9, 2026 EPSS Score
Jan 13, 2026 EPSS Score
Jan 17, 2026 EPSS Score

References

https://github.com/1Panel-dev/1Panel/releases url
https://1panel.pro/ url
https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-34410 advisory
https://1panel.pro url
https://github.com/1Panel-dev/1Panel package

Open in Interactive Console →

$ Console Community · 100/wk Open console ›