Stored Cross-Site Scripting Vulnerability in MaxKB AI Assistant by 1Panel
CVE-2026-39426

5.1MEDIUM

Key Information:

Vendor: 1panel-dev
Status: Maxkb
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39426?

MaxKB, an open-source AI assistant developed by 1Panel, has a security vulnerability that allows attackers to execute malicious scripts through the application's chat interface. This Stored Cross-Site Scripting (XSS) issue arises when the MdRenderer.vue component improperly processes custom <iframe_render> tags, bypassing the required Markdown sanitization. Consequently, unsanitized HTML content is rendered directly in an , enabling injected scripts to escape and execute JavaScript in the parent context. This vulnerability can lead to serious consequences, including session hijacking, unauthorized actions, and sensitive data exposure for any user who interacts with the compromised interface. The vulnerability has been addressed in version 2.8.0.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...

x_refsource_CONFIRM

https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39426 Data

JSON

1panel-dev

What is CVE-2026-39426?

Affected Version(s)

References

CVSS V4

Timeline