Description
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-12
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A flaw in the MaxKB ChatHeadersMiddleware allows an attacker to manipulate the Name argument and inject arbitrary script code, resulting in cross‑site scripting. Remote exploitation is possible, meaning a remote user can trigger script execution in the victim’s browser. The vulnerability is identified as CWE‑79 for reflected XSS and CWE‑94 for potential code injection via input arguments.

Affected Systems

The vulnerability affects versions of 1Panel‑dev’s MaxKB product up to 2.6.1, specifically the middleware file apps/common/middleware/chat_headers_middleware.py. A fix is included in release 2.8.0, which removes the unchecked handling of the Name parameter.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate. An EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been widely exploited in the wild. Attackers would target the web‑facing interface, crafting a request that supplies a malicious Name value to the middleware; successful exploitation would allow arbitrary script execution in the context of the victim’s session, potentially leading to session hijacking, defacement, or data theft.

Generated by OpenCVE AI on April 12, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxKB to version 2.8.0 or later to apply the vendor patch that sanitizes the Name argument.
  • If an upgrade is not immediately possible, apply input validation to the Name parameter by enforcing a strict whitelist of allowable characters and limiting its length.
  • Audit the ChatHeadersMiddleware implementation for other unsanitized input points and deploy a web application firewall rule to block suspicious script payloads.
  • Verify that the patched version is deployed and that no legacy code paths remain active.
  • Monitor application logs for attempted XSS injections and respond to any successful exploit attempts.

Generated by OpenCVE AI on April 12, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Sun, 12 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title 1Panel-dev MaxKB ChatHeadersMiddleware chat_headers_middleware.py cross site scripting
First Time appeared Maxkb
Maxkb maxkb
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*
Vendors & Products Maxkb
Maxkb maxkb
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

1panel Maxkb
Maxkb Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-15T15:16:00.722Z

Reserved: 2026-04-11T07:34:25.313Z

Link: CVE-2026-6107

cve-icon Vulnrichment

Updated: 2026-04-15T15:15:56.811Z

cve-icon NVD

Status : Deferred

Published: 2026-04-12T01:16:16.583

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-6107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:29Z

Weaknesses