Submit #782265: 1Panel-dev MaxKB <= v2.6.1 Stored XSSinfo

Title	1Panel-dev MaxKB <= v2.6.1 Stored XSS
Description	A Stored Cross-Site Scripting (XSS) vulnerability exists in MaxKB. Authenticated users with dataset management permissions can create paragraphs containing arbitrary HTML/Markdown content. The application stores this content without sanitization and subsequently renders it in the UI using the md-editor-v3 MdPreview component, which does not sanitize HTML by default. This allows attackers to inject malicious JavaScript that executes when other users, including administrators, view the paragraph or execution details.
Source	⚠️ https://github.com/AnalogyC0de/public_exp/issues/28
User	Ana10gy (UID 93358)
Submission	03/18/2026 13:07 (25 days ago)
Moderation	04/11/2026 09:35 (24 days later)
Status	Accepted
VulDB entry	356967 [1Panel-dev MaxKB up to 2.4.2 MdPreview ui/src/chat.ts cross site scripting]
Points	20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!