CVE-2026-39422 MEDIUM

CVE-2026-39422: MaxKB has Stored XSS via ChatHeadersMiddleware

Vendor 1Panel-Dev

Product MaxKB

Weakness CWE-79 · XSS

Published April 14, 2026

Last update April 14, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.

Key dates

02Disclosure timeline

April 14, 2026 CVE published

April 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-39422 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2022-50946 WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS CVE-2023-25962 WordPress Accordions Plugin <= 2.3.0 is vulnerable to Cross Site Scripting (XSS) CVE-2025-3826 SourceCodester Web-based Pharmacy Product Management System add-supplier.php cross site scripting CVE-2024-4288 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.7.14 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-8605 Gutenify - Visual Site Builder Blocks & Site Templates <= 1.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Count Up block