CVE-2026-39422
Stored XSS in MaxKB Application Name and Icon Fields
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in MaxKB affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39422 is a Stored Cross-Site Scripting (XSS) vulnerability in MaxKB versions 2.7.1 and below. It occurs because the application name and icon fields are not properly escaped or sanitized when stored and later rendered in the HTML response of the public chat interface.
An attacker with authenticated access can inject malicious JavaScript code into these fields when creating an application. When a victim visits the chat interface, the malicious script is executed in their browser because the application name and icon are inserted directly into the HTML without escaping.
This allows arbitrary JavaScript execution in the victim's browser context, which can lead to various malicious actions.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in your browser when you visit the affected MaxKB chat interface.
- Session hijacking β attackers can steal your session cookies and impersonate you.
- Defacement β attackers can modify the content displayed to you.
- Other malicious actions β such as redirecting you to malicious sites or stealing sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your MaxKB instance is running a vulnerable version (2.7.1 or below) and by testing whether the application name or icon fields accept and render unescaped HTML or JavaScript.
One way to detect it is to send a crafted POST request to the endpoint `/api/application/` with a payload containing a script tag in the application name field and then visit the public chat interface `/ui/chat/{access_token}` to see if the script executes.
Example curl command to test injection:
- curl -X POST https://your-maxkb-domain/api/application/ -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"name": "</title><script>alert(1)</script><title>", "desc": "test", "dialogue_number": 0, "type": "SIMPLE", "dataset_setting": {}, "model_setting": {}, "problem_optimization": false}'
After sending this request, visiting `/ui/chat/{access_token}` should trigger the alert if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade MaxKB to version 2.8.0 or later, where the vulnerability has been fixed by properly escaping or sanitizing the application name and icon fields before rendering.
Until the upgrade can be performed, restrict access to the application creation endpoint `/api/application/` to trusted users only, and monitor for suspicious POST requests that attempt to inject scripts.
Additionally, consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser.