Stored XSS Vulnerability in MaxKB AI Assistant
CVE-2026-39422

6.9MEDIUM

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
14 April 2026

What is CVE-2026-39422?

MaxKB, the open-source AI assistant developed by 1Panel, has a Stored Cross-Site Scripting (XSS) vulnerability in versions 2.7.1 and earlier. The flaw allows attackers to insert malicious JavaScript through the application name or icon fields when creating an application. If a user accesses the public chat interface, the ChatHeadersMiddleware improperly includes these unescaped values into the HTML response, resulting in the execution of arbitrary JavaScript in the victim's browser. This vulnerability was addressed in version 2.8.0 of MaxKB.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...
x_refsource_CONFIRM
https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5...
x_refsource_MISC
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.