Vulnerability Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Maxkb | Maxkb | < 2.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cabPatch
- https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0Release Notes
- https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52wExploitVendor Advisory
- https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52wExploitVendor Advisory
FAQ
What is CVE-2026-39422?
CVE-2026-39422 is a vulnerability with a CVSS score of 5.4 (MEDIUM). MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an app...
How severe is CVE-2026-39422?
CVE-2026-39422 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-39422?
Check the references section above for vendor advisories and patch information. Affected products include: Maxkb Maxkb.