CVE-2026-39423
MEDIUMStored XSS via Eval Injection in EchartsRander Component
Title source: cnaDescription
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including administrators, resulting in Stored Cross-Site Scripting (XSS). This issue has been fixed in version 2.8.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-462x-99gf-mp79
X_Refsource_Misc x_refsource_misc
https://github.com/1Panel-dev/MaxKB/commit/34fb95bde9574c5b3a734ab00c7f29b9e7d32669
X_Refsource_Misc x_refsource_misc
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
Scores
CVSS v3
5.4
EPSS
0.0017
EPSS Percentile
6.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-95
Status
published
Products (2)
1Panel-dev/MaxKB
< 2.8.0
maxkb/maxkb
< 2.8.0
Published
Apr 14, 2026
Tracked Since
Apr 14, 2026