CVE-2026-6107
Received Received - Intake
Cross-Site Scripting in 1Panel-dev MaxKB ChatHeadersMiddleware

Publication date: 2026-04-12

Last updated on: 2026-04-12

Assigner: VulDB

Description
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-12
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6107
EUVD
EUVD-2026-21688
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1panel-dev maxkb 2.6.1
1panel-dev maxkb 2.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6107 is a stored Cross-Site Scripting (XSS) vulnerability in MaxKB versions up to 2.6.1. It occurs because authenticated users can inject malicious JavaScript code into the application name or icon fields when creating an application via the POST /api/application/ endpoint.

The vulnerability arises from the ChatHeadersMiddleware component, which processes HTTP responses for chat interface requests. This middleware inserts the application name and icon directly into HTML response headers without proper HTML escaping or sanitization.

An attacker can craft a payload containing malicious script tags in the application name, which gets embedded into the HTML response. When a victim accesses the chat interface URL, the malicious script executes in their browser context, enabling arbitrary JavaScript execution.

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary JavaScript code in the browsers of users who visit the affected chat interface. This can lead to several security risks including session hijacking, theft of sensitive data, and other malicious actions performed in the context of the victim's session.

Because the malicious script runs with the same privileges as the legitimate site, it can manipulate the user interface, steal cookies or tokens, and potentially perform actions on behalf of the victim without their consent.

Detection Guidance

This vulnerability can be detected by checking for malicious JavaScript code injection in the application name or icon fields when creating an application via the POST /api/application/ endpoint.

Specifically, an authenticated user could send a POST request with payloads containing script tags in the 'name' or 'icon' parameters to test if the system is vulnerable.

For example, you can use the following curl command to test for the vulnerability by injecting a script in the application name:

  • curl -X POST https://your-maxkb-instance/api/application/ -H 'Content-Type: application/json' -d '{"name": "</title><script>alert(1)</script><title>", "desc": "Test injection"}' -u username:password

After sending such a request, accessing the chat interface URL /ui/chat/{access_token} and inspecting the HTML response for unescaped script tags in the <title> tag or favicon replacement can confirm the presence of the vulnerability.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade MaxKB to version 2.8.0 or later, where this vulnerability has been fixed by properly escaping user-supplied application name and icon data before injecting it into HTTP response headers.

If upgrading immediately is not possible, as a temporary measure, restrict authenticated users from creating or modifying applications with untrusted input in the 'name' or 'icon' fields to prevent injection of malicious scripts.

Additionally, monitor and audit application creation requests for suspicious payloads and consider applying web application firewall (WAF) rules to detect and block attempts to inject script tags in these parameters.

Compliance Impact

The vulnerability CVE-2026-6107 is a stored Cross-Site Scripting (XSS) issue that allows authenticated attackers to inject malicious JavaScript code into the application name or icon fields, which is then executed in the context of users visiting the public chat interface.

Such XSS vulnerabilities can lead to session hijacking, data theft, or unauthorized actions on behalf of users, which may result in exposure or compromise of personal or sensitive data.

From a compliance perspective, this vulnerability could negatively impact adherence to standards like GDPR or HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or disclosure.

Failure to address such vulnerabilities could lead to breaches of confidentiality and integrity of data, potentially resulting in regulatory penalties or loss of trust.

Upgrading to a fixed version that properly escapes user input mitigates this risk and helps maintain compliance with security requirements in these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart