{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15632", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-11T07:34:46.231Z", "datePublished": "2026-04-13T09:30:21.266Z", "dateUpdated": "2026-04-13T13:01:08.819Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T09:30:21.266Z"}, "title": "1Panel-dev MaxKB MdPreview chat.ts cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "2.4.0", "status": "affected"}, {"version": "2.4.1", "status": "affected"}, {"version": "2.4.2", "status": "affected"}, {"version": "2.5.0", "status": "unaffected"}], "cpes": ["cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*"], "modules": ["MdPreview"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-11T09:40:17.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ana10gy (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356967", "name": "VDB-356967 | 1Panel-dev MaxKB MdPreview chat.ts cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356967/cti", "name": "VDB-356967 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782265", "name": "Submit #782265 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/28", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/1Panel-dev/MaxKB/pull/4578", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T13:00:58.252385Z", "id": "CVE-2025-15632", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:01:08.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15632", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T13:00:58.252385Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:01:02.824Z"}}], "cna": {"tags": ["x_open-source"], "title": "1Panel-dev MaxKB MdPreview chat.ts cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Ana10gy (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*"], "vendor": "1Panel-dev", "modules": ["MdPreview"], "product": "MaxKB", "versions": [{"status": "affected", "version": "2.4.0"}, {"status": "affected", "version": "2.4.1"}, {"status": "affected", "version": "2.4.2"}, {"status": "unaffected", "version": "2.5.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-11T09:40:17.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356967", "name": "VDB-356967 | 1Panel-dev MaxKB MdPreview chat.ts cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356967/cti", "name": "VDB-356967 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782265", "name": "Submit #782265 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/28", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/1Panel-dev/MaxKB/pull/4578", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0", "tags": ["patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T09:30:21.266Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15632", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:01:08.819Z", "dateReserved": "2026-04-11T07:34:46.231Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-13T09:30:21.266Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "id": "CVE-2025-15632", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-13T10:16:10.160", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/"}, {"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8"}, {"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/pull/4578"}, {"source": "cna@vuldb.com", "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0"}, {"source": "cna@vuldb.com", "url": "https://github.com/AnalogyC0de/public_exp/issues/28"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782265"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356967"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356967/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-13T11:20:27.872943+00:00", "value": {"mitigation_remediation": ["Apply the fix identified by commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8, which is included in MaxKB v2.5.0", "Upgrade the MaxKB component to version 2.5.0 or later", "Verify that the MdPreview chat.ts file has been updated and that input validation is in place", "Monitor vendor channel for any additional patches or advisories"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is 1Panel\u2011dev MaxKB, version 2.4.2 and earlier. Any installation that has not been upgraded to the patched release (v2.5.0) remains vulnerable. The vulnerability affects the MdPreview chat component.\n", "description_and_impact": "A cross\u2011site scripting flaw exists in the MdPreview component of 1Panel\u2011dev MaxKB, specifically within the chat.ts file. The vulnerability allows an attacker to inject arbitrary scripts into the application\u2019s user interface. This can compromise the confidentiality, integrity, and availability of the system by executing malicious code in the context of legitimate users.\n\nThe weakness is categorized under CWE\u201179 (XSS) and CWE\u201194 (Code Injection), indicating that user input is improperly sanitized before rendering or execution. Attackers may exploit the flaw remotely without needing elevated privileges, using crafted payloads delivered through the chat or preview functionality.\n\nThe vulnerability is present in all MaxKB releases up to version 2.4.2; the vendor has released a fix in version 2.5.0. The publicly disclosed exploit can be found on GitHub and has already been used in the wild.\n", "risk_and_exploitability": "The CVSS score is 5.1, indicating a medium severity. Because the exploit is publicly available on GitHub and the vulnerability is exploitable remotely, the likelihood of attack is significant. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the presence of a public exploit and the straightforward remote execution path raise the risk profile."}}}}, "created": "2026-04-13T12:52:31.817071+00:00", "updated": "2026-04-13T12:52:31.817097+00:00", "vendors": []}