XSS in 1panel-dev Maxkb

CVE-2026-39426

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (1.7th percentile) — read the EPSS interpretation.

Affected products

1panel-dev Maxkb — versions < 2.8.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-q2qg-43vq-f2wv (x_refsource_CONFIRM)
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0 (x_refsource_MISC)