Skip to main content

Maxkb EUVD-2025-209411

| CVE-2025-15632 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-13 VulDB GHSA-jx24-j485-cqwm
XSS Maxkb
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

10
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 13, 2026 - 10:30 vuln.today
Severity Changed
Apr 13, 2026 - 10:22 NVD
LOW MEDIUM
CVSS changed
Apr 13, 2026 - 10:22 NVD
3.5 (LOW) 5.1 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 10:15 euvd
EUVD-2025-209411
Analysis Generated
Apr 13, 2026 - 10:15 vuln.today
Patch released
Apr 13, 2026 - 10:15 nvd
Patch available
CVE Published
Apr 13, 2026 - 09:30 nvd
LOW 2.0

DescriptionCVE.org

A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.

Technical ContextAI

The vulnerability exists in the MdPreview component within the chat.ts file of MaxKB's TypeScript-based UI layer. MdPreview is a markdown preview renderer that processes user input; improper input sanitization allows attackers to inject arbitrary HTML and JavaScript into the rendered output. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where untrusted data from chat messages flows directly into the DOM without adequate encoding or Content Security Policy protections. The affected CPE (cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*) covers all versions up to 2.4.2.

RemediationAI

Upgrade MaxKB to version 2.5.0 or later, which includes the fix via commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. For detailed upgrade instructions, consult the official MaxKB releases page at https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0. In environments where immediate upgrade is not possible, restrict access to the chat functionality to trusted users only and monitor browser console logs for injected script errors as a temporary detection measure. Implement Content Security Policy (CSP) headers to mitigate the impact of any injected scripts.

Share

EUVD-2025-209411 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy