{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39426", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.596Z", "datePublished": "2026-04-14T01:25:10.592Z", "dateUpdated": "2026-04-14T01:25:10.592Z"}, "containers": {"cna": {"title": "MaxKB: Stored XSS via Unsanitized iframe_render Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-q2qg-43vq-f2wv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-q2qg-43vq-f2wv"}, {"name": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "< 2.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T01:25:10.592Z"}, "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitization and XSS filtering. The unsanitized HTML content is passed to the IframeRender.vue component, which renders it directly into an <iframe> via the srcdoc attribute configured with sandbox=\"allow-scripts allow-same-origin\". This can be a dangerous combination, allowing injected scripts to escape the iframe and execute JavaScript in the parent window using window.parent. Since the Prologue is rendered for any user visiting an application's chat interface, this results in a high-impact Stored XSS that can lead to session hijacking, unauthorized actions, and sensitive data exposure. This issue has been fixed in version 2.8.0."}], "source": {"advisory": "GHSA-q2qg-43vq-f2wv", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitization and XSS filtering. The unsanitized HTML content is passed to the IframeRender.vue component, which renders it directly into an <iframe> via the srcdoc attribute configured with sandbox=\"allow-scripts allow-same-origin\". This can be a dangerous combination, allowing injected scripts to escape the iframe and execute JavaScript in the parent window using window.parent. Since the Prologue is rendered for any user visiting an application's chat interface, this results in a high-impact Stored XSS that can lead to session hijacking, unauthorized actions, and sensitive data exposure. This issue has been fixed in version 2.8.0."}], "id": "CVE-2026-39426", "lastModified": "2026-04-14T02:16:05.460", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T02:16:05.460", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-q2qg-43vq-f2wv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.0)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "MaxKB", "source": "cna", "vendor": "1Panel-dev"}, "product": "maxkb", "vendor": "1panel"}], "analysis": {"en": {"generated_at": "2026-04-14T03:51:01.379368+00:00", "value": {"mitigation_remediation": ["Upgrade MaxKB to version 2.8.0 or later to fully eliminate the flaw.", "If an immediate upgrade is not possible, disable or remove the use of <iframe_render> tags in the prologue configuration and sanitize all LLM output before rendering.", "Consider restricting configuration write access to trusted administrators to prevent injection of malicious tags."], "summary": {"action": "Patch Now", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the 1Panel\u2011dev MaxKB product for all releases through 2.7.1. Any deployment that stores unfiltered LLM output or uses custom prologue settings is vulnerable; the flaw is fixed starting with version 2.8.0.", "description_and_impact": "MaxKB, an open\u2011source AI assistant, contains a stored cross\u2011site scripting flaw in versions 2.7.1 and earlier. The front\u2011end component that renders LLM responses and application prologue configurations accepts custom <iframe_render> tags without sanitization. These tags are passed to a dedicated renderer that embeds the supplied HTML into an <iframe> using the srcdoc attribute. The sandbox on that iframe allows scripts to run and escape via window.parent, giving attackers a powerful route to execute JavaScript in the parent page.", "risk_and_exploitability": "The CVSS score of 5.1 labels the issue as medium severity, and no EPSS estimate is available. Because the exploit merely requires the insertion of a malicious <iframe_render> tag into stored content, the barrier to attack is low for anyone with the ability to modify LLM output or configure the application prologue. The flaw is not listed in CISA's Known Exploited Vulnerabilities catalog, but its stored nature means that all users who view the compromised chat can be affected, allowing session hijacking, unauthorized actions, and data exposure."}}}}, "created": "2026-04-14T16:16:07.581424+00:00", "updated": "2026-04-14T16:31:04.101082+00:00", "vendors": ["1panel", "1panel$PRODUCT$maxkb"]}