CVE-2026-39422

UNKNOWN 0.0

MaxKB has Stored XSS via ChatHeadersMiddleware

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.

CWE	CWE-79
Vendor	1panel-dev
Product	maxkb
Published	Apr 14, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for 1panel-dev maxkb

Be the first to know when new unknown vulnerabilities affecting 1panel-dev maxkb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

1Panel-dev / MaxKB

< 2.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52w github.com: https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da github.com: https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0