Home

Description

A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

PUBLISHED Reserved 2026-04-11 | Published 2026-04-12 | Updated 2026-04-15 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X
LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
LOW: 3.5CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
4.0AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C

Problem types

Cross Site Scripting

Code Injection

Product status

2.6.0
affected

2.6.1
affected

2.8.0
unaffected

Timeline

2026-04-11:Advisory disclosed
2026-04-11:VulDB entry created
2026-04-11:VulDB entry last update

Credits

Ana10gy (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/356966 (VDB-356966 | 1Panel-dev MaxKB ChatHeadersMiddleware chat_headers_middleware.py cross site scripting) vdb-entry technical-description

vuldb.com/vuln/356966/cti (VDB-356966 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/782263 (Submit #782263 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS) third-party-advisory

github.com/AnalogyC0de/public_exp/issues/24 issue-tracking

github.com/1Panel-dev/MaxKB/pull/4919 issue-tracking patch

github.com/...ommit/026a2d623e2aa5efa67c4834651e79d5d7cab1da patch

github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0 patch

github.com/1Panel-dev/MaxKB/ product

cve.org (CVE-2026-6107)

nvd.nist.gov (CVE-2026-6107)

Download JSON