CVE-2026-39425

Source
https://cve.org/CVERecord?id=CVE-2026-39425
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39425.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39425
Aliases
  • GHSA-3rq5-pgm7-pvp4
Published
2026-04-14T01:18:42.895Z
Modified
2026-07-08T08:13:05.435130691Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering
Details

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue (Opening Remarks) field by wrapping malicious payloads in <html_rander> tags. The backend fails to sanitize or encode HTML entities in the prologue field when applications are created or updated via the /admin/api/workspace/{workspace_id}/application endpoint, storing the raw payload directly in the database. The frontend then renders this content using an innerHTML-equivalent mechanism, trusting <html_rander>-wrapped content to be safe, which enables persistent DOM-based Stored XSS execution against any visitor who opens the affected chatbot interface. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of victims (such as deleting workspaces or applications), and sensitive data exposure. This issue has been fixed in version 2.8.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-80"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39425.json"
}
References

Affected packages

Git / github.com/1panel-dev/maxkb

Affected ranges

Type
GIT
Repo
https://github.com/1panel-dev/maxkb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.8.0"
        }
    ],
    "cpe": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.10.0-lts
v1.10.1-lts
v1.10.2-lts
v1.10.3-lts
v1.10.4-lts
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.7.0
v1.9.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39425.json"