CVE-2026-6107
Cross-Site Scripting in 1Panel-dev MaxKB ChatHeadersMiddleware
Publication date: 2026-04-12
Last updated on: 2026-04-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel-dev | maxkb | 2.6.1 |
| 1panel-dev | maxkb | 2.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6107 is a stored Cross-Site Scripting (XSS) vulnerability in MaxKB versions up to 2.6.1. It occurs because authenticated users can inject malicious JavaScript code into the application name or icon fields when creating an application via the POST /api/application/ endpoint.
The vulnerability arises from the ChatHeadersMiddleware component, which processes HTTP responses for chat interface requests. This middleware inserts the application name and icon directly into HTML response headers without proper HTML escaping or sanitization.
An attacker can craft a payload containing malicious script tags in the application name, which gets embedded into the HTML response. When a victim accesses the chat interface URL, the malicious script executes in their browser context, enabling arbitrary JavaScript execution.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary JavaScript code in the browsers of users who visit the affected chat interface. This can lead to several security risks including session hijacking, theft of sensitive data, and other malicious actions performed in the context of the victim's session.
Because the malicious script runs with the same privileges as the legitimate site, it can manipulate the user interface, steal cookies or tokens, and potentially perform actions on behalf of the victim without their consent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for malicious JavaScript code injection in the application name or icon fields when creating an application via the POST /api/application/ endpoint.
Specifically, an authenticated user could send a POST request with payloads containing script tags in the 'name' or 'icon' parameters to test if the system is vulnerable.
For example, you can use the following curl command to test for the vulnerability by injecting a script in the application name:
- curl -X POST https://your-maxkb-instance/api/application/ -H 'Content-Type: application/json' -d '{"name": "</title><script>alert(1)</script><title>", "desc": "Test injection"}' -u username:password
After sending such a request, accessing the chat interface URL /ui/chat/{access_token} and inspecting the HTML response for unescaped script tags in the <title> tag or favicon replacement can confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade MaxKB to version 2.8.0 or later, where this vulnerability has been fixed by properly escaping user-supplied application name and icon data before injecting it into HTTP response headers.
If upgrading immediately is not possible, as a temporary measure, restrict authenticated users from creating or modifying applications with untrusted input in the 'name' or 'icon' fields to prevent injection of malicious scripts.
Additionally, monitor and audit application creation requests for suspicious payloads and consider applying web application firewall (WAF) rules to detect and block attempts to inject script tags in these parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-6107 is a stored Cross-Site Scripting (XSS) issue that allows authenticated attackers to inject malicious JavaScript code into the application name or icon fields, which is then executed in the context of users visiting the public chat interface.
Such XSS vulnerabilities can lead to session hijacking, data theft, or unauthorized actions on behalf of users, which may result in exposure or compromise of personal or sensitive data.
From a compliance perspective, this vulnerability could negatively impact adherence to standards like GDPR or HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or disclosure.
Failure to address such vulnerabilities could lead to breaches of confidentiality and integrity of data, potentially resulting in regulatory penalties or loss of trust.
Upgrading to a fixed version that properly escapes user input mitigates this risk and helps maintain compliance with security requirements in these regulations.