AIKIDO-2026-10407
panel is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
This Affects:
panelTL;DR
Panel's bundled panel.js (built from TypeScript in panel/models/) had two security issues. In formatError in util.ts, code displaying syntax errors used code.replace(">", "<").replace("<", ">"), which only escapes the first occurrence of each character; code containing multiple angle brackets could break rendering or allow XSS when error output was shown. In the Plotly model (plotly.ts), column resolution for object data used a path derived from column names to set properties on the trace object without validating keys; a crafted path (e.g. containing __proto__ or constructor) could overwrite the prototype. The fix adds global regex escaping in formatError and validates path segments against a forbidden-key set, using Object.hasOwn and safe path resolution for Plotly.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
panel is vulnerable to Cross-Site Scripting (XSS) in versions 1.8.0 - 1.8.9.
How to fix this
Upgrade the panel library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant