cPanel prior to 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
cpanel cpanel