Stored Cross-Site Scripting in MaxKB AI Assistant by 1Panel
CVE-2026-39425

5.1MEDIUM

Key Information:

Vendor: 1panel-dev
Status: Maxkb
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39425?

The MaxKB AI assistant is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability that affects versions up to 2.7.1. This security flaw allows authenticated users to inject malicious HTML and JavaScript into the Application prologue field. The application does not adequately sanitize or encode HTML entities when creating or updating entries via its API. This results in the raw payload being stored directly into the database and rendered on the frontend using unsafe mechanisms that trust <html_rander> tags. An attacker can exploit this vulnerability to execute persistent XSS attacks, which may enable session hijacking or unauthorized actions, such as deleting workspaces or accessing sensitive information. The issue has been resolved in version 2.8.0.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...

x_refsource_CONFIRM

https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39425 Data

JSON

1panel-dev

What is CVE-2026-39425?

Affected Version(s)

References

CVSS V4

Timeline