XSS in 1panel-dev Maxkb

CVE-2026-39425

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue (…

EPSS: 0.000 (12.3th percentile) — read the EPSS interpretation.

Affected products

1panel-dev Maxkb — versions < 2.8.0

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-3rq5-pgm7-pvp4 (x_refsource_CONFIRM)
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0 (x_refsource_MISC)