CVE-2026-39426

Source
https://cve.org/CVERecord?id=CVE-2026-39426
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39426.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39426
Aliases
  • GHSA-q2qg-43vq-f2wv
Published
2026-04-14T01:25:10.592Z
Modified
2026-07-08T08:13:05.425336348Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
MaxKB: Stored XSS via Unsanitized iframe_render Parsing
Details

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitization and XSS filtering. The unsanitized HTML content is passed to the IframeRender.vue component, which renders it directly into an <iframe> via the srcdoc attribute configured with sandbox="allow-scripts allow-same-origin". This can be a dangerous combination, allowing injected scripts to escape the iframe and execute JavaScript in the parent window using window.parent. Since the Prologue is rendered for any user visiting an application's chat interface, this results in a high-impact Stored XSS that can lead to session hijacking, unauthorized actions, and sensitive data exposure. This issue has been fixed in version 2.8.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39426.json"
}
References

Affected packages

Git / github.com/1panel-dev/maxkb

Affected ranges

Type
GIT
Repo
https://github.com/1panel-dev/maxkb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.8.0"
        }
    ],
    "cpe": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.10.0-lts
v1.10.1-lts
v1.10.2-lts
v1.10.3-lts
v1.10.4-lts
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.7.0
v1.9.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39426.json"