Executive Summary

CVE-2026-39423 is a Stored Cross-Site Scripting (XSS) vulnerability in the MaxKB open-source AI assistant, affecting versions 2.7.1 and below.

The vulnerability arises from an unsafe use of JavaScript's eval() function in the Markdown rendering engine, specifically in the EchartsRander component. This component processes embedded Apache Echarts graphs within Markdown responses using a custom tag.

If the JSON content inside the custom tag contains an "actionType": "EVAL", the evalParseOption() function executes the "option" field without any sanitization or escaping, allowing attackers to inject arbitrary JavaScript code.

Because the payload is JSON and not sanitized by typical HTML sanitizers, attackers can bypass rich text sanitization and execute malicious scripts in the browsers of other users, including administrators.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any user who can interact with the AI chat interface to execute arbitrary JavaScript code in the browsers of other users, including administrators.

Such execution of malicious scripts can lead to unauthorized actions, data theft, session hijacking, or other malicious activities performed in the context of the victim's browser.

Because it is a Stored XSS, the malicious code can persist and affect multiple users over time, increasing the risk and impact.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability CVE-2026-39423 in MaxKB versions 2.7.1 and below is caused by unsafe JavaScript evaluation in the Markdown rendering engine, allowing stored XSS attacks.

To mitigate this vulnerability immediately, upgrade MaxKB to version 2.8.0 or later, where the issue has been fixed.

The fix involves modifying the EchartsRander component to add a sandbox attribute (sandbox="allow-scripts") to the iframe rendering the charts, restricting the iframe's capabilities and preventing execution of injected scripts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary JavaScript execution in the browsers of other users, including administrators, through a Stored Cross-Site Scripting (XSS) attack. This can lead to unauthorized access to sensitive information or manipulation of user sessions.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to address this vulnerability could result in data exposure or compromise, potentially violating these regulations' requirements for data security and privacy.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in MaxKB versions 2.7.1 and below, caused by unsafe evaluation of JavaScript in the Markdown rendering engine. Detection involves identifying if your system is running a vulnerable version and if the vulnerable component is processing malicious payloads.

To detect the vulnerability on your system, first verify the MaxKB version:

• Check the installed MaxKB version to ensure it is 2.8.0 or later (which contains the fix): ```bash maxkb --version ```

To detect exploitation attempts or presence of malicious payloads in the Markdown rendering engine, you can search logs or stored data for the specific `<echarts_rander>` tag containing JSON with the field "actionType": "EVAL" which triggers the unsafe eval execution.

• Search for suspicious payloads in stored Markdown or logs (example using grep): ```bash grep -r '<echarts_rander>' /path/to/maxkb/data ```
• Look for JSON payloads containing "actionType": "EVAL" inside the `<echarts_rander>` tag, which indicates potential exploitation attempts.

Additionally, monitor network traffic or browser console logs for unexpected JavaScript execution or errors related to the Echarts rendering component.

Useful 0 Not Useful 0