CVE-2026-39425
Stored XSS in MaxKB Application Prologue Enables Session Hijacking
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39425 is a Stored Cross-Site Scripting (XSS) vulnerability found in MaxKB versions 2.7.1 and below. It occurs when authenticated users inject malicious HTML or JavaScript code into the Application prologue (Opening Remarks) field by using <html_rander> tags. The backend does not properly sanitize or encode this input before storing it in the database. Later, the frontend renders this content directly using an innerHTML-like method, trusting the <html_rander> wrapped content as safe. This allows the malicious code to persist and execute in the browsers of any users who open the affected chatbot interface.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to several serious impacts including session hijacking, where attackers can steal user sessions; unauthorized actions performed on behalf of victims, such as deleting workspaces or applications; and exposure of sensitive data. Since the malicious script executes in the context of the victim's browser, it can compromise user security and the integrity of the affected application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the Application prologue (Opening Remarks) field for the presence of malicious HTML or JavaScript payloads wrapped in <html_rander> tags. Since the issue arises when authenticated users create or update applications via the /admin/api/workspace/{workspace_id}/application endpoint, monitoring requests to this API endpoint for suspicious payloads is recommended.
You can use commands or tools to query the database or API for prologue fields containing <html_rander> tags with suspicious scripts. For example, using curl to fetch application data and grep to search for the tag:
- curl -H "Authorization: Bearer <token>" https://<maxkb-host>/admin/api/workspace/<workspace_id>/application | grep '<html_rander>'
- Alternatively, query the database directly for prologue fields containing <html_rander> tags if you have database access.
Additionally, monitoring frontend chatbot interfaces for unexpected script execution or unusual behavior can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade MaxKB to version 2.8.0 or later, where this Stored Cross-Site Scripting vulnerability has been fixed.
Until the upgrade can be performed, restrict or monitor authenticated users' ability to create or update applications, especially the prologue field, to prevent injection of malicious payloads.
Implement additional input validation or sanitization on the prologue field if possible, and audit existing application configurations for suspicious <html_rander> content.
Also, educate users to avoid interacting with suspicious chatbot interfaces that might be affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Stored Cross-Site Scripting (XSS) vulnerability in MaxKB allows attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, unauthorized actions, and exposure of sensitive data.
Such unauthorized access and data exposure can compromise the confidentiality and integrity of personal and sensitive information, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure to adequately protect user data and prevent unauthorized access.