प्लेटफ़ॉर्म
php
घटक
1panel-dev-maxkb
में ठीक किया गया
2.2.1
2.8.0
A cross-site scripting (XSS) vulnerability has been identified in 1Panel-dev MaxKB versions 2.2.0 through 2.8.0. This flaw resides within the StaticHeadersMiddleware function of the Public Chat Interface component, specifically the handling of the 'Name' argument. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user data and system integrity. The vulnerability is now public and a fix is available in version 2.8.0.
The XSS vulnerability in 1Panel-dev MaxKB allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the application. Given the public nature of the exploit, the risk of immediate exploitation is elevated. The Public Chat Interface component is likely used for user interaction, making it a prime target for attackers seeking to compromise user accounts or gain access to sensitive information. The impact could extend beyond the immediate application, potentially affecting other systems accessible from the compromised user's session.
This vulnerability is considered LOW severity according to CVSS 3.5. A public proof-of-concept (PoC) is available, indicating a higher likelihood of exploitation. The vulnerability was disclosed on 2026-04-11. It is not currently listed on CISA KEV as of this writing, but the public PoC warrants close monitoring. Active campaigns targeting 1Panel-dev MaxKB are not currently confirmed, but the availability of a PoC increases the risk of opportunistic exploitation.
Organizations utilizing 1Panel-dev MaxKB in their deployments, particularly those with publicly accessible chat interfaces, are at risk. Shared hosting environments where multiple users share the same 1Panel-dev MaxKB instance are especially vulnerable, as a compromise of one user could potentially affect others. Legacy configurations or deployments that have not been regularly updated are also at increased risk.
• php: Examine application logs for requests containing suspicious characters or patterns in the 'Name' parameter. Use grep to search for patterns like <script> or javascript: within the logs.
grep -i '<script|javascript:' /var/log/apache2/access.log• generic web: Use curl to test the affected endpoint with various payloads. Check the response headers for signs of XSS.
curl -X POST -d "Name=<script>alert('XSS')</script>" http://your-1panel-maxkb-url/chatdisclosure
poc
patch
एक्सप्लॉइट स्थिति
EPSS
0.03% (10% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-6106 is to upgrade 1Panel-dev MaxKB to version 2.8.0, which contains the fix (commit 026a2d623e2aa5efa67c4834651e79d5d7cab1da). If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and output encoding on the 'Name' parameter within the StaticHeadersMiddleware function. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor application logs for suspicious activity, particularly requests containing unusual characters or patterns in the 'Name' parameter. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'Name' field and verifying that it is properly sanitized.
भेद्यता को कम करने के लिए MaxKB घटक को संस्करण 2.8.0 या उच्चतर में अपडेट करें। अपडेट StaticHeadersMiddleware मिडलवेयर में 'Name' तर्क के हेरफेर को ठीक करता है, जिससे दुर्भावनापूर्ण कोड के निष्पादन का जोखिम समाप्त हो जाता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-6106 is a cross-site scripting (XSS) vulnerability affecting 1Panel-dev MaxKB versions 2.2.0 through 2.8.0, allowing attackers to inject malicious scripts.
You are affected if you are running 1Panel-dev MaxKB versions 2.2.0 to 2.8.0 and have not upgraded. Check your version and upgrade immediately.
Upgrade 1Panel-dev MaxKB to version 2.8.0. If upgrading is not possible, implement input validation and output encoding as temporary workarounds.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely.
Contact 1Panel-dev directly for the official advisory. The vendor was contacted early regarding this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।