Description
A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the MdPreview component of 1Panel‑dev MaxKB, specifically within the chat.ts file. The vulnerability allows an attacker to inject arbitrary scripts into the application’s user interface. This can compromise the confidentiality, integrity, and availability of the system by executing malicious code in the context of legitimate users. The weakness is categorized under CWE‑79 (XSS) and CWE‑94 (Code Injection), indicating that user input is improperly sanitized before rendering or execution. Attackers may exploit the flaw remotely without needing elevated privileges, using crafted payloads delivered through the chat or preview functionality. The vulnerability is present in all MaxKB releases up to version 2.4.2; the vendor has released a fix in version 2.5.0. The publicly disclosed exploit can be found on GitHub and has already been used in the wild.

Affected Systems

The affected product is 1Panel‑dev MaxKB, version 2.4.2 and earlier. Any installation that has not been upgraded to the patched release (v2.5.0) remains vulnerable. The vulnerability affects the MdPreview chat component.

Risk and Exploitability

The CVSS score is 5.1, indicating a medium severity. Because the exploit is publicly available on GitHub and the vulnerability is exploitable remotely, the likelihood of attack is significant. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the presence of a public exploit and the straightforward remote execution path raise the risk profile.

Generated by OpenCVE AI on April 13, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix identified by commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8, which is included in MaxKB v2.5.0
  • Upgrade the MaxKB component to version 2.5.0 or later
  • Verify that the MdPreview chat.ts file has been updated and that input validation is in place
  • Monitor vendor channel for any additional patches or advisories

Generated by OpenCVE AI on April 13, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title 1Panel-dev MaxKB MdPreview chat.ts cross site scripting
First Time appeared Maxkb
Maxkb maxkb
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*
Vendors & Products Maxkb
Maxkb maxkb
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maxkb Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T13:01:08.819Z

Reserved: 2026-04-11T07:34:46.231Z

Link: CVE-2025-15632

cve-icon Vulnrichment

Updated: 2026-04-13T13:01:02.824Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T10:16:10.160

Modified: 2026-04-13T15:01:43.663

Link: CVE-2025-15632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:31Z

Weaknesses