CVE-2026-39422

N/A Unknown
Published: April 14, 2026 Modified: April 14, 2026
View on NVD

Description

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da
Source: security-advisories@github.com
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
Source: security-advisories@github.com
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52w
Source: security-advisories@github.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Related CVEs

CVE-2026-4109 4.3
CVE-2026-33929 N/A
CVE-2026-33892 7.1
CVE-2026-31924 N/A
CVE-2026-31923 N/A