Cross-Site Scripting Vulnerability in 1Panel-dev MaxKB Product
CVE-2025-15632

5.1MEDIUM

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
13 April 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-15632?

A cross-site scripting vulnerability has been identified in the file ui/src/chat.ts of the MdPreview component of the MaxKB product by 1Panel-dev, specifically impacting versions up to 2.4.2. This flaw allows an attacker to execute arbitrary scripts in the context of the user's browser, potentially leading to data theft and session hijacking. The vulnerability has been publicly disclosed, making it imperative for users to upgrade to version 2.5.0, where a patch identified as 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8 has been implemented. The vendor responded promptly and professionally upon notification, enhancing their commitment to cybersecurity.

Affected Version(s)

MaxKB 2.4.0

MaxKB 2.4.1

MaxKB 2.4.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-15632 - Proof of Concept

References

https://vuldb.com/vuln/356967
vdb-entry
https://vuldb.com/vuln/356967/cti
signaturepermissions-required
https://vuldb.com/submit/782265
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ana10gy (VulDB User)
VulDB CNA Team
.