Is there a patch available for CVE-2026-39422?

Yes, a patch is available for CVE-2026-39422. Update the affected software to the latest version immediately.

Maxkb CVE-2026-39422

Q: What is the CVSS score of CVE-2026-39422?

CVE-2026-39422 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-22182 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-14 GitHub_M

XSS Maxkb

6.9

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.9 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Patch released

Apr 20, 2026 - 17:34 nvd

Patch available

Apr 16, 2026 - 05:29 EUVD

2.8.0

Analysis Generated

Apr 14, 2026 - 01:22 vuln.today

CVSS changed

Apr 14, 2026 - 01:22 NVD

6.9 (MEDIUM)

EUVD ID Assigned

Apr 14, 2026 - 01:15 euvd

EUVD-2026-22182

Analysis Generated

Apr 14, 2026 - 01:15 vuln.today

CVE Published

Apr 14, 2026 - 00:22 nvd

MEDIUM 6.9

DescriptionGitHub Advisory

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.

AnalysisAI

Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript through application name or icon fields, which is then executed in victims' browsers when accessing the public chat interface. The vulnerability stems from unsanitized data insertion into HTML responses by ChatHeadersMiddleware, enabling arbitrary code execution with user interaction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate as low-privileged user

Delivery

Create application with malicious JavaScript in name field

Exploit

Share public chat URL

Install

Victim visits chat link

Middleware renders unescaped payload

Execute

JavaScript executes in victim context

Impact

Steal session tokens or redirect to phishing