EUVD-2026-21688
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Analysis
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today