Zero Day MonitorZDM

← Back to list

—

CVE-2026-39422EXPLOITEDPATCHED

1panel-dev · maxkb

MaxKB has Stored XSS via ChatHeadersMiddleware

Description

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.

Affected Products

Vendor	Product	Versions
1panel-dev	maxkb	< 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52w(x_refsource_CONFIRM)
https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da(x_refsource_MISC)
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-39422 | 1Panel-dev MaxKB up to 2.7.x Public Chat Interface /ui/chat/ name/icon cross site scripting (GHSA-wf7p-3jq5-q52w)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.8.0

CWECWE-79

PublishedApr 14, 2026

Last enriched2h agov2

Tags

CVE-2026-39422

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39421EXP

MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect

CRITICALCVE-2026-39420EXP

MaxKB: Sandbox escape via LD_PRELOAD bypass

HIGHCVE-2026-39425EXP

MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering

HIGHCVE-2026-39426EXP

MaxKB: Stored XSS via Unsanitized iframe_render Parsing

HIGHCVE-2026-39419EXP

MaxKB: Sandbox Result Validation Bypass via Tool Output Spoofing

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Patch Available

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, activelyExploited, patchAvailable, tags

Apr 14, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated severity to HIGH, marked as actively exploited, and added CVE-2026-39422 as a tag.

severityactivelyExploitedpatchAvailabletags

via VulDB

v18h ago

Initial creation