CVE-2026-39426
Stored XSS in MaxKB MdRenderer.vue Enables Parent Window Hijack
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39426 is a Stored Cross-Site Scripting (XSS) vulnerability found in MaxKB versions 2.7.1 and below. The vulnerability occurs because the frontend component MdRenderer.vue parses custom <iframe_render> tags from Large Language Model (LLM) responses or Application Prologue configurations without proper sanitization. These tags bypass the standard Markdown sanitization and XSS filtering.
The unsanitized HTML content is then passed to the IframeRender.vue component, which renders it directly into an iframe using the srcdoc attribute. This iframe is configured with sandbox="allow-scripts allow-same-origin", a setting that allows scripts inside the iframe to execute and escape the sandbox using window.parent to run JavaScript in the parent window.
Because the Prologue content is rendered for any user visiting the chat interface, this vulnerability enables attackers to inject scripts that execute in the context of other users, leading to a high-impact Stored XSS attack.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including session hijacking, unauthorized actions performed on behalf of users, and exposure of sensitive data.
Since the injected scripts can escape the iframe sandbox and execute in the parent window, attackers can manipulate the application interface or steal user credentials and tokens.
Because the malicious content is stored and rendered for all users accessing the chat interface, multiple users can be affected, increasing the risk and impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the MaxKB frontend is parsing unsanitized <iframe_render> tags that bypass Markdown sanitization and XSS filtering.
Since the vulnerability is related to stored Cross-Site Scripting (XSS) in the MdRenderer.vue and IframeRender.vue components, detection can focus on monitoring the applicationβs chat interface for injected <iframe_render> tags or suspicious iframe srcdoc content.
Specific commands are not provided in the resources, but general approaches include:
- Inspect HTTP responses from the chat interface for presence of <iframe_render> tags or iframes with suspicious srcdoc attributes.
- Use web application security scanners or browser developer tools to analyze DOM elements for injected scripts escaping iframe sandboxes.
- Monitor logs or use intrusion detection systems to detect unusual script execution or attempts to access window.parent from iframes.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade MaxKB to version 2.8.0 or later, where this Stored XSS vulnerability has been fixed.
Until the upgrade can be applied, consider restricting or sanitizing the content of Application Prologue configurations and LLM responses to prevent injection of <iframe_render> tags.
Additionally, review and enhance frontend sanitization and XSS filtering mechanisms to ensure that custom tags like <iframe_render> cannot bypass security controls.
Limit user privileges and access to the chat interface to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MaxKB allows high-impact Stored Cross-Site Scripting (XSS) attacks that can lead to session hijacking, unauthorized actions, and sensitive data exposure.
Such security issues can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
By enabling attackers to execute scripts in the context of the parent window and potentially access or manipulate sensitive information, this vulnerability increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns.