CVE-2026-6106
Received Received - Intake
Cross-Site Scripting in 1Panel-dev MaxKB Public Chat Interface

Publication date: 2026-04-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6106
EUVD
EUVD-2026-21686
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1panel-dev maxkb to 2.2.1 (inc)
1panel-dev maxkb 2.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the 1Panel-dev MaxKB software up to version 2.2.1, specifically in the StaticHeadersMiddleware function within the Public Chat Interface component. It arises from improper handling of the argument 'Name', which allows an attacker to perform cross-site scripting (XSS) attacks. Such attacks can be launched remotely by manipulating this argument.

The vulnerability has been publicly disclosed and an exploit is available. The issue is fixed in version 2.8.0, and upgrading to this version is recommended.

Impact Analysis

This vulnerability can allow an attacker to execute cross-site scripting (XSS) attacks remotely by manipulating input parameters. This can lead to the injection of malicious scripts into the web interface, potentially compromising user sessions, stealing sensitive information, or performing actions on behalf of authenticated users.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, 1Panel-dev MaxKB, to version 2.8.0 or later.

This upgrade resolves the cross site scripting vulnerability in the StaticHeadersMiddleware function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart