CVE-2026-6107
published 2026-04-12CVE-2026-6107: A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py…
PriorityP416low3.5CVSS 3.1
AVNACLPRLUIRSUCNILAN
EPSS
0.21%
11.5th percentile
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 1panel-dev | maxkb | — | — |
| 1panel-dev | maxkb | — | — |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-96q3-fpgp-35xf: A flaw has been found in 1Panel-dev MaxKB up to 2
ghsa_unreviewed·2026-04-12
CVE-2026-6107 [MEDIUM] CWE-79 GHSA-96q3-fpgp-35xf: A flaw has been found in 1Panel-dev MaxKB up to 2
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
VulDB
1Panel-dev MaxKB up to 2.6.1 ChatHeadersMiddleware chat_headers_middleware.py Name cross site scripting
vuldb·2026-04-11·CVSS 5.1
CVE-2026-6107 [MEDIUM] 1Panel-dev MaxKB up to 2.6.1 ChatHeadersMiddleware chat_headers_middleware.py Name cross site scripting
A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. It has been rated as problematic. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting.
This vulnerability is registered as CVE-2026-6107. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/1Panel-dev/MaxKB/https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1dahttps://github.com/1Panel-dev/MaxKB/pull/4919https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0https://github.com/AnalogyC0de/public_exp/issues/24https://vuldb.com/submit/782263https://vuldb.com/vuln/356966https://vuldb.com/vuln/356966/cti
2026-04-12
Published