CVE-2026-39423

UNKNOWN 0.0

Stored XSS via Eval Injection in EchartsRander Component

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including administrators, resulting in Stored Cross-Site Scripting (XSS). This issue has been fixed in version 2.8.0.

CWE	CWE-79 CWE-95
Vendor	1panel-dev
Product	maxkb
Published	Apr 14, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for 1panel-dev maxkb

Be the first to know when new unknown vulnerabilities affecting 1panel-dev maxkb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

1Panel-dev / MaxKB

< 2.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-462x-99gf-mp79 github.com: https://github.com/1Panel-dev/MaxKB/commit/34fb95bde9574c5b3a734ab00c7f29b9e7d32669 github.com: https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0