Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.
Published: 2026-04-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabling arbitrary JavaScript execution in users' browsers.
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability allows an attacker to embed malicious JavaScript into the application name or icon fields when creating an application. The ChatHeadersMiddleware then retrieves this data and inserts it unescaped into the public chat page, causing the script to run in any visitor’s browser. The weakness is classified as CWE‑79 and can lead to session hijacking, data theft, and defacement of the web interface.

Affected Systems

The issue affects the 1Panel‑dev MaxKB platform, specifically all releases version 2.7.1 and earlier. Version 2.8.0 releases the fix that properly escapes these fields.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Exploitation requires the attacker to create or modify an application with malicious fields, and relies on a victim visiting the public chat URL with an access token. Because the vulnerability is stored and can be reused, any user who accesses the chat interface is at risk. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation yet.

Generated by OpenCVE AI on April 14, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxKB to version 2.8.0 or later.
  • Remove or sanitize existing application entries that contain malicious name or icon fields.
  • Ensure future deployments validate and escape user input for application metadata.

Generated by OpenCVE AI on April 14, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxkb
Maxkb maxkb
CPEs cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*
Vendors & Products Maxkb
Maxkb maxkb
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.
Title MaxKB has Stored XSS via ChatHeadersMiddleware
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

1panel Maxkb
Maxkb Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:32:41.804Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39422

cve-icon Vulnrichment

Updated: 2026-04-14T13:32:31.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T01:16:04.850

Modified: 2026-04-20T17:34:36.830

Link: CVE-2026-39422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:11Z

Weaknesses