Executive Summary

CVE-2025-15632 is a stored Cross-Site Scripting (XSS) vulnerability in MaxKB (version ≤ 2.6.1), specifically affecting the Markdown editor's paragraph content feature.

Authenticated users with dataset management permissions can create paragraphs containing arbitrary HTML or Markdown content that is stored without sanitization and later rendered in the user interface using the MdPreview component, which does not sanitize HTML by default.

This allows malicious JavaScript embedded in the paragraph content to execute in the browsers of other users, including administrators, when they view the paragraph or its execution details.

The vulnerability arises because backend endpoints accept and store unsanitized content, and the frontend renders this content without applying any sanitization, enabling remote attackers to inject and execute malicious scripts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the execution of malicious scripts in the browsers of users who view the affected content, potentially allowing attackers to steal session tokens, perform actions on behalf of users, or deliver malware.

Since the attack can be executed remotely by authenticated users with certain permissions, it poses a risk of unauthorized access or manipulation of user sessions and data.

The exploit being publicly disclosed increases the risk of exploitation by attackers.

Upgrading to version 2.5.0 or later is recommended to mitigate these risks, as the update includes fixes that sanitize user input and prevent script execution.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the API endpoint responsible for paragraph creation, specifically the endpoint: /api/workspace/{workspace_id}/knowledge/{knowledge_id}/document/{document_id}/paragraph.

Look for suspicious payloads in the 'content' parameter of these POST requests that contain potentially malicious HTML or JavaScript, such as <img src=x onerror=alert('XSS')> or other script tags.

A practical detection method is to capture and inspect HTTP traffic or logs for such payloads submitted by authenticated users with dataset management permissions.

• Use tools like curl or HTTP clients to test the endpoint with a payload containing JavaScript to see if it is stored and rendered without sanitization.
• Example curl command to test the vulnerability (replace placeholders accordingly):
• curl -X POST https://your-maxkb-instance/api/workspace/{workspace_id}/knowledge/{knowledge_id}/document/{document_id}/paragraph -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"content": "<img src=x onerror=alert(1)>"}'

If the payload is stored and later executed when viewing the paragraph, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade MaxKB to version 2.5.0 or later, where the vulnerability has been fixed.

The fix involves sanitizing the Markdown editor input by integrating XSS protection plugins and enforcing strict whitelisting of allowed HTML tags and attributes, preventing malicious script injection.

If upgrading immediately is not possible, consider implementing input sanitization on the server side to filter out malicious HTML or JavaScript in the paragraph content before storage.

Additionally, restrict permissions so that only trusted users can create or edit paragraph content, reducing the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2025-15632 is a stored Cross-Site Scripting (XSS) issue in MaxKB that allows authenticated users to inject malicious scripts which execute in other users' browsers. Such vulnerabilities can lead to unauthorized access to user sessions, data exposure, or manipulation of user data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could potentially lead to unauthorized disclosure of personal or sensitive information, thereby affecting compliance.

Therefore, organizations using affected versions of MaxKB should consider this vulnerability a risk to regulatory compliance and should upgrade to version 2.5.0 or later, where the issue is fixed, to mitigate potential legal and compliance impacts.

Useful 0 Not Useful 0