Soumettre #782263: 1Panel-dev MaxKB <= v2.6.1 Stored XSSinformation

Titre1Panel-dev MaxKB <= v2.6.1 Stored XSS
DescriptionA Stored Cross-Site Scripting (XSS) vulnerability exists in MaxKB. Authenticated users can inject malicious JavaScript into the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context.
La source⚠️ https://github.com/AnalogyC0de/public_exp/issues/24
Utilisateur
 Ana10gy (UID 93358)
Soumission18/03/2026 12:56 (il y a 27 jours)
Modérer11/04/2026 09:35 (24 days later)
StatutAccepté
Entrée VulDB356966 [1Panel-dev MaxKB jusqu’à 2.6.1 ChatHeadersMiddleware chat_headers_middleware.py Nom cross site scripting]
Points20

PrécédentAperçuSuivant

Want to stay up to date on a daily basis?

Enable the mail alert feature now!