CVE-2026-39422

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.0

Description A Stored Cross-Site Scripting (XSS) issue exists when creating an application via the application name or icon fields. When a user visits the public chat interface '/ui/chat/{access token}', the ChatHeadersMiddleware retrieves application data and inserts the unescaped name and icon into the HTML response using string replacement. This allows for the execution of arbitrary JavaScript in the browser context of the victim.

Recommendations Update to version 2.8.0.