Executive Summary

CVE-2026-39422 is a Stored Cross-Site Scripting (XSS) vulnerability in MaxKB versions 2.7.1 and below. It occurs because the application name and icon fields are not properly escaped or sanitized when stored and later rendered in the HTML response of the public chat interface.

An attacker with authenticated access can inject malicious JavaScript code into these fields when creating an application. When a victim visits the chat interface, the malicious script is executed in their browser because the application name and icon are inserted directly into the HTML without escaping.

This allows arbitrary JavaScript execution in the victim's browser context, which can lead to various malicious actions.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in MaxKB affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in your browser when you visit the affected MaxKB chat interface.

• Session hijacking – attackers can steal your session cookies and impersonate you.
• Defacement – attackers can modify the content displayed to you.
• Other malicious actions – such as redirecting you to malicious sites or stealing sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your MaxKB instance is running a vulnerable version (2.7.1 or below) and by testing whether the application name or icon fields accept and render unescaped HTML or JavaScript.

One way to detect it is to send a crafted POST request to the endpoint `/api/application/` with a payload containing a script tag in the application name field and then visit the public chat interface `/ui/chat/{access_token}` to see if the script executes.

Example curl command to test injection:

• curl -X POST https://your-maxkb-domain/api/application/ -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"name": "</title><script>alert(1)</script><title>", "desc": "test", "dialogue_number": 0, "type": "SIMPLE", "dataset_setting": {}, "model_setting": {}, "problem_optimization": false}'

After sending this request, visiting `/ui/chat/{access_token}` should trigger the alert if the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MaxKB to version 2.8.0 or later, where the vulnerability has been fixed by properly escaping or sanitizing the application name and icon fields before rendering.

Until the upgrade can be performed, restrict access to the application creation endpoint `/api/application/` to trusted users only, and monitor for suspicious POST requests that attempt to inject scripts.

Additionally, consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser.

Useful 0 Not Useful 0