Is there a public PoC exploit available for EUVD-2026-21686?

Yes, a public proof-of-concept exploit is available for EUVD-2026-21686. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for EUVD-2026-21686?

Yes, a patch is available for EUVD-2026-21686. Update the affected software to the latest version immediately.

Maxkb EUVD-2026-21686

Q: What is the CVSS score of EUVD-2026-21686?

EUVD-2026-21686 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-6106 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-11 VulDB

GHSA-4gvx-284h-fwmm

XSS Maxkb

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 11, 2026 - 23:22 NVD

LOW MEDIUM

CVSS changed

Apr 11, 2026 - 23:22 NVD

3.5 (LOW) 5.1 (MEDIUM)

Analysis Generated

Apr 11, 2026 - 22:42 vuln.today

EUVD ID Assigned

Apr 11, 2026 - 22:30 euvd

EUVD-2026-21686

Analysis Generated

Apr 11, 2026 - 22:30 vuln.today

Patch released

Apr 11, 2026 - 22:30 nvd

Patch available

CVE Published

Apr 11, 2026 - 22:15 nvd

LOW 2.0

DescriptionCVE.org

A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker authenticates to MaxKB

Delivery

Injects JavaScript payload into Name parameter

Exploit

Payload stored or reflected in StaticHeadersMiddleware response

Execution

Victim user views chat interface

Impact

Malicious script executes in victim's browser context