Description
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Patch Immediately
AI Analysis

Impact

A vulnerability exists in the StaticHeadersMiddleware component of 1Panel‑dev MaxKB versions up to 2.2.1. The middleware fails to sanitize the Name argument, allowing attackers to inject malicious script payloads into HTTP responses. This cross‑site scripting flaw can execute arbitrary JavaScript in the victim's browser, potentially hijacking sessions, defacing user interfaces, or redirecting users to malicious sites. The weakness is characterized as an XSS flaw, aligned with CWE‑79 and also noted as a code injection issue.

Affected Systems

1Panel‑dev MaxKB’s Public Chat Interface is affected, specifically the StaticHeadersMiddleware implementation. Versions up to 2.2.1 are vulnerable, while the patch is included in release 2.8.0. The vulnerability is confined to the component that processes chat messages and their metadata, so only installations exposing the public chat interface are at risk.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the attacker can exploit the flaw remotely by sending a crafted Name value to the chat endpoint. EPSS data is unavailable, but the vulnerability has an active public exploit as documented by the vendor and the community. Since the exploit is available and the issue is not listed in the CISA KEV catalog, organizations should treat the flaw with high operational urgency, prioritizing code remediation and monitoring for abuse.

Generated by OpenCVE AI on April 11, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxKB to version 2.8.0 or later.
  • Verify the upgrade by checking the middleware version and testing name input handling.
  • Monitor logs for any unusual activity after patching.

Generated by OpenCVE AI on April 11, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Sat, 11 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title 1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting
First Time appeared Maxkb
Maxkb maxkb
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*
Vendors & Products Maxkb
Maxkb maxkb
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

1panel Maxkb
Maxkb Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T12:26:30.360Z

Reserved: 2026-04-11T07:33:57.699Z

Link: CVE-2026-6106

cve-icon Vulnrichment

Updated: 2026-04-13T12:26:17.158Z

cve-icon NVD

Status : Deferred

Published: 2026-04-11T23:16:05.823

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:30Z

Weaknesses