CVE-2026-6106
published 2026-04-11CVE-2026-6106: A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file…
PriorityP418low3.5CVSS 3.1
AVNACLPRLUIRSUCNILAN
EPSS
0.27%
17.9th percentile
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 1panel-dev | maxkb | — | — |
| 1panel-dev | maxkb | — | — |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4gvx-284h-fwmm: A vulnerability was detected in 1Panel-dev MaxKB up to 2
ghsa_unreviewed·2026-04-12
CVE-2026-6106 [MEDIUM] CWE-79 GHSA-4gvx-284h-fwmm: A vulnerability was detected in 1Panel-dev MaxKB up to 2
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
VulDB
1Panel-dev MaxKB up to 2.2.1 Public Chat Interface static_headers_middleware.py StaticHeadersMiddleware Name cross site scripting
vuldb·2026-04-11·CVSS 5.1
CVE-2026-6106 [MEDIUM] 1Panel-dev MaxKB up to 2.2.1 Public Chat Interface static_headers_middleware.py StaticHeadersMiddleware Name cross site scripting
A vulnerability was found in 1Panel-dev MaxKB up to 2.2.1. It has been declared as problematic. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting.
This vulnerability is cataloged as CVE-2026-6106. The attack may be launched remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/1Panel-dev/MaxKB/https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1dahttps://github.com/1Panel-dev/MaxKB/pull/4919https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0https://github.com/AnalogyC0de/public_exp/issues/23https://vuldb.com/submit/781810https://vuldb.com/vuln/356965https://vuldb.com/vuln/356965/cti
2026-04-11
Published