Is there a patch available for CVE-2026-39426?

Yes, a patch is available for CVE-2026-39426. Update the affected software to the latest version immediately.

Maxkb CVE-2026-39426

Q: What is the CVSS score of CVE-2026-39426?

CVE-2026-39426 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-22193 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-14 GitHub_M

Information Disclosure XSS Maxkb

5.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Patch released

Apr 20, 2026 - 17:31 nvd

Patch available

Apr 16, 2026 - 05:29 EUVD

2.8.0

Analysis Generated

Apr 14, 2026 - 04:10 vuln.today

CVSS changed

Apr 14, 2026 - 02:22 NVD

5.1 (MEDIUM)

EUVD ID Assigned

Apr 14, 2026 - 02:00 euvd

EUVD-2026-22193

Analysis Generated

Apr 14, 2026 - 02:00 vuln.today

CVE Published

Apr 14, 2026 - 01:25 nvd

MEDIUM 5.1

DescriptionGitHub Advisory

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitization and XSS filtering. The unsanitized HTML content is passed to the IframeRender.vue component, which renders it directly into an <iframe> via the srcdoc attribute configured with sandbox="allow-scripts allow-same-origin". This can be a dangerous combination, allowing injected scripts to escape the iframe and execute JavaScript in the parent window using window.parent. Since the Prologue is rendered for any user visiting an application's chat interface, this results in a high-impact Stored XSS that can lead to session hijacking, unauthorized actions, and sensitive data exposure. This issue has been fixed in version 2.8.0.

AnalysisAI

Stored Cross-Site Scripting in MaxKB's MdRenderer component allows authenticated users to inject malicious scripts via custom <iframe_render> tags in LLM responses or Application Prologue configurations, leading to JavaScript execution in the parent window context with access to session tokens and sensitive data. MaxKB versions 2.7.1 and earlier are affected; the vulnerability is fixed in version 2.8.0. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Inject malicious <iframe_render> tag via Prologue

Delivery

MdRenderer parses tag without sanitization

Exploit

IframeRender renders HTML to srcdoc

Install

JavaScript executes in iframe context

Script calls window.parent to escape sandbox

Execute

Arbitrary code runs in parent window

Impact

Session hijacking and data exfiltration