Eval Injection Vulnerability in MaxKB AI Assistant by 1Panel
CVE-2026-39423

6.9MEDIUM

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
14 April 2026

What is CVE-2026-39423?

The MaxKB AI Assistant, developed by 1Panel, is susceptible to an Eval Injection vulnerability affecting versions 2.7.1 and earlier. This flaw is located within the Markdown rendering engine, allowing users interacting with the AI chat interface to execute arbitrary JavaScript within the browsers of other users, including administrators. This results in Stored Cross-Site Scripting (XSS) and poses significant security risks. 1Panel has addressed this issue in the updated version 2.8.0, and users are advised to upgrade to mitigate potential attacks.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...
x_refsource_CONFIRM
https://github.com/1Panel-dev/MaxKB/commit/34fb95bde9574c...
x_refsource_MISC
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.