{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6106", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-11T07:33:57.699Z", "datePublished": "2026-04-11T22:15:14.027Z", "dateUpdated": "2026-04-13T12:26:30.360Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-11T22:15:14.027Z"}, "title": "1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "2.2.0", "status": "affected"}, {"version": "2.2.1", "status": "affected"}, {"version": "2.8.0", "status": "unaffected"}], "cpes": ["cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*"], "modules": ["Public Chat Interface"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-11T10:25:52.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ana10gy (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356965", "name": "VDB-356965 | 1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356965/cti", "name": "VDB-356965 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781810", "name": "Submit #781810 | 1Panel-dev MaxKB <= v2.2.1 Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/23", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/1Panel-dev/MaxKB/pull/4919", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:26:04.256987Z", "id": "CVE-2026-6106", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:26:30.360Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6106", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:26:04.256987Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:26:17.158Z"}}], "cna": {"tags": ["x_open-source"], "title": "1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Ana10gy (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*"], "vendor": "1Panel-dev", "modules": ["Public Chat Interface"], "product": "MaxKB", "versions": [{"status": "affected", "version": "2.2.0"}, {"status": "affected", "version": "2.2.1"}, {"status": "unaffected", "version": "2.8.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-11T10:25:52.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356965", "name": "VDB-356965 | 1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356965/cti", "name": "VDB-356965 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781810", "name": "Submit #781810 | 1Panel-dev MaxKB <= v2.2.1 Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/23", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/1Panel-dev/MaxKB/pull/4919", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-11T22:15:14.027Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6106", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:26:30.360Z", "dateReserved": "2026-04-11T07:33:57.699Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-11T22:15:14.027Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "id": "CVE-2026-6106", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-11T23:16:05.823", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/"}, {"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da"}, {"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/pull/4919"}, {"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"}, {"source": "cna@vuldb.com", "url": "https://github.com/AnalogyC0de/public_exp/issues/23"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781810"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356965"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356965/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.8.0"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "MaxKB", "source": "cna", "vendor": "1Panel-dev"}, "product": "maxkb", "vendor": "1panel"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.8.0"}}], "original": {"product": "MaxKB", "source": "cna", "vendor": "1Panel-dev"}, "product": "maxkb", "vendor": "maxkb"}], "analysis": {"en": {"generated_at": "2026-04-11T23:20:43.558659+00:00", "value": {"mitigation_remediation": ["Upgrade MaxKB to version 2.8.0 or later.", "Verify the upgrade by checking the middleware version and testing name input handling.", "Monitor logs for any unusual activity after patching."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "1Panel\u2011dev MaxKB\u2019s Public Chat Interface is affected, specifically the StaticHeadersMiddleware implementation. Versions up to 2.2.1 are vulnerable, while the patch is included in release 2.8.0. The vulnerability is confined to the component that processes chat messages and their metadata, so only installations exposing the public chat interface are at risk.", "description_and_impact": "A vulnerability exists in the StaticHeadersMiddleware component of 1Panel\u2011dev MaxKB versions up to 2.2.1. The middleware fails to sanitize the Name argument, allowing attackers to inject malicious script payloads into HTTP responses. This cross\u2011site scripting flaw can execute arbitrary JavaScript in the victim's browser, potentially hijacking sessions, defacing user interfaces, or redirecting users to malicious sites. The weakness is characterized as an XSS flaw, aligned with CWE\u201179 and also noted as a code injection issue.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity, and the attacker can exploit the flaw remotely by sending a crafted Name value to the chat endpoint. EPSS data is unavailable, but the vulnerability has an active public exploit as documented by the vendor and the community. Since the exploit is available and the issue is not listed in the CISA KEV catalog, organizations should treat the flaw with high operational urgency, prioritizing code remediation and monitoring for abuse."}}}}, "created": "2026-04-13T12:41:48.005102+00:00", "updated": "2026-04-13T12:56:30.695906+00:00", "vendors": ["1panel", "1panel$PRODUCT$maxkb", "maxkb", "maxkb$PRODUCT$maxkb"]}