Platform
php
Component
1panel-dev-maxkb
Fixed in
2.2.1
2.8.0
A cross-site scripting (XSS) vulnerability has been identified in 1Panel-dev MaxKB versions 2.2.0 through 2.8.0. This flaw resides within the StaticHeadersMiddleware function of the Public Chat Interface component, specifically the handling of the 'Name' argument. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user data and system integrity. The vulnerability is now public and a fix is available in version 2.8.0.
The XSS vulnerability in 1Panel-dev MaxKB allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the application. Given the public nature of the exploit, the risk of immediate exploitation is elevated. The Public Chat Interface component is likely used for user interaction, making it a prime target for attackers seeking to compromise user accounts or gain access to sensitive information. The impact could extend beyond the immediate application, potentially affecting other systems accessible from the compromised user's session.
This vulnerability is considered LOW severity according to CVSS 3.5. A public proof-of-concept (PoC) is available, indicating a higher likelihood of exploitation. The vulnerability was disclosed on 2026-04-11. It is not currently listed on CISA KEV as of this writing, but the public PoC warrants close monitoring. Active campaigns targeting 1Panel-dev MaxKB are not currently confirmed, but the availability of a PoC increases the risk of opportunistic exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6106 is to upgrade 1Panel-dev MaxKB to version 2.8.0, which contains the fix (commit 026a2d623e2aa5efa67c4834651e79d5d7cab1da). If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and output encoding on the 'Name' parameter within the StaticHeadersMiddleware function. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor application logs for suspicious activity, particularly requests containing unusual characters or patterns in the 'Name' parameter. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'Name' field and verifying that it is properly sanitized.
Update the MaxKB component to version 2.8.0 or higher to mitigate the cross site scripting (XSS) vulnerability. The update corrects the manipulation of the 'Name' argument in the StaticHeadersMiddleware middleware, eliminating the risk of malicious code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6106 is a cross-site scripting (XSS) vulnerability affecting 1Panel-dev MaxKB versions 2.2.0 through 2.8.0, allowing attackers to inject malicious scripts.
You are affected if you are running 1Panel-dev MaxKB versions 2.2.0 to 2.8.0 and have not upgraded. Check your version and upgrade immediately.
Upgrade 1Panel-dev MaxKB to version 2.8.0. If upgrading is not possible, implement input validation and output encoding as temporary workarounds.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely.
Contact 1Panel-dev directly for the official advisory. The vendor was contacted early regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.