AIKIDO-2026-10407
panel is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
This Affects:
panelTL;DR
Panel's bundled panel.js (built from TypeScript in panel/models/) had two security issues. In formatError in util.ts, code displaying syntax errors used code.replace(">", "<").replace("<", ">"), which only escapes the first occurrence of each character; code containing multiple angle brackets could break rendering or allow XSS when error output was shown. In the Plotly model (plotly.ts), column resolution for object data used a path derived from column names to set properties on the trace object without validating keys; a crafted path (e.g. containing __proto__ or constructor) could overwrite the prototype. The fix adds global regex escaping in formatError and validates path segments against a forbidden-key set, using Object.hasOwn and safe path resolution for Plotly.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
panel is vulnerable to Cross-Site Scripting (XSS) in versions 1.8.0 - 1.8.9.
How to fix this
Upgrade the panel library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant