XSS in 1panel-dev Maxkb

CVE-2026-39422

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the publ…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.6th percentile) — read the EPSS interpretation.

Affected products

1panel-dev Maxkb — versions < 2.8.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52w (x_refsource_CONFIRM)
https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da (x_refsource_MISC)
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0 (x_refsource_MISC)