CVE-2026-39426

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.0

Description A Stored Cross-Site Scripting (XSS) issue exists where the frontend MdRenderer.vue component parses custom <iframe render> tags from LLM responses or Application Prologue configurations. This process bypasses standard Markdown sanitization and XSS filtering. The unsanitized HTML content is then passed to the IframeRender.vue component, which renders it directly into an <iframe> via the srcdoc attribute configured with sandbox="allow-scripts allow-same-origin". This allows injected scripts to escape the iframe and execute JavaScript in the parent window using window.parent. Because the Prologue is rendered for any user visiting an application chat interface, this can lead to session hijacking, unauthorized actions, and sensitive data exposure.

Recommendations Update to version 2.8.0.