What is CVE-2026-6107?

CVE-2026-6107 is a low-severity vulnerability in 1panel-dev Maxkb, classified under Cross-site Scripting. CVSS score: 3.5/10. Published 2026-04-12.

How severe is CVE-2026-6107?

Low severity. CVSS v3 base score is 3.5 out of 10.

RCE in 1panel-dev Maxkb

CVE-2026-6107

A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (11.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.5 (Low). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C.

Affected products

1panel-dev Maxkb — versions 2.6.0, 2.6.1, 2.8.0

Weakness classification (CWE)

References

VDB-356966 | 1Panel-dev MaxKB ChatHeadersMiddleware chat_headers_middleware.py cross site scripting (vdb-entry, technical-description)
VDB-356966 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #782263 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS (third-party-advisory)
github.com/AnalogyC0de/public_exp/issues/24 (issue-tracking)
github.com/1Panel-dev/MaxKB/pull/4919 (issue-tracking, patch)
github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da (patch)
github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0 (patch)
github.com/1Panel-dev/MaxKB/ (product)

Frequently asked questions

What is CVE-2026-6107?: CVE-2026-6107 is a low-severity vulnerability in 1panel-dev Maxkb, classified under Cross-site Scripting. CVSS score: 3.5/10. Published 2026-04-12.
How severe is CVE-2026-6107?: Low severity. CVSS v3 base score is 3.5 out of 10.