CVE-2025-15632: 1Panel-dev MaxKB XSS Vulnerability

CVE-2025-15632 Overview

A Cross-Site Scripting (XSS) vulnerability has been identified in 1Panel-dev MaxKB, an open-source knowledge base management platform. The vulnerability exists in the MdPreview component within the file ui/src/chat.ts, where insufficient input sanitization allows attackers to inject malicious scripts through specially crafted markdown content. This flaw can be exploited remotely to execute arbitrary JavaScript code in the context of a victim's browser session.

Critical Impact

Remote attackers can exploit this XSS vulnerability to execute malicious scripts in users' browsers, potentially leading to session hijacking, credential theft, or further compromise of the affected system.

Affected Products

• 1Panel-dev MaxKB versions up to and including 2.4.2
• MaxKB MdPreview component (ui/src/chat.ts)
• MaxKB Markdown editor functionality

Discovery Timeline

• April 13, 2026 - CVE-2025-15632 published to NVD
• April 13, 2026 - Last updated in NVD database

Technical Details for CVE-2025-15632

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in the MdPreview component of the MaxKB application, specifically within the ui/src/chat.ts file. The vulnerable component processes user-supplied markdown content without adequate XSS protection, allowing attackers to inject and execute malicious JavaScript code within the browser context of other users viewing the rendered markdown content.

The vulnerability requires low privileges to exploit and depends on user interaction, meaning a victim must view the malicious content for the attack to succeed. Successful exploitation can compromise the integrity of user sessions and enable attackers to perform actions on behalf of authenticated users.

Root Cause

The root cause of this vulnerability is the absence of proper XSS sanitization when rendering markdown content in the MdPreview component. The original implementation of the md-editor-v3 library configuration did not include the XSS plugin with appropriate whitelist filtering. Without the XSS plugin and a properly configured whitelist, user-controlled markdown input could include malicious HTML or JavaScript that would be rendered and executed in the browser.

Attack Vector

The attack is network-based and can be executed remotely. An attacker with low-level privileges (such as a registered user) can inject malicious script content into markdown fields processed by the MdPreview component. When another user views this content through the chat interface, the malicious script executes in their browser session. This can lead to:

• Session token theft via cookie exfiltration
• Phishing attacks through DOM manipulation
• Keylogging and credential capture
• Unauthorized actions performed on behalf of the victim

The following patch demonstrates how the vulnerability was addressed by adding XSS protection:

 import Components from '@/components'
 import directives from '@/directives'
 
-import { config } from 'md-editor-v3'
+import { getDefaultWhiteList } from 'xss'
+import { config, XSSPlugin } from 'md-editor-v3'
 import screenfull from 'screenfull'
 
 import katex from 'katex'

Source: GitHub Commit Details

Detection Methods for CVE-2025-15632

Indicators of Compromise

• Unusual JavaScript execution patterns in browser developer console logs when viewing MaxKB chat content
• Unexpected outbound network requests to external domains from the MaxKB application
• User reports of suspicious behavior or unauthorized actions after viewing chat messages
• Modified or injected content in markdown preview areas containing script tags or event handlers

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
• Monitor web application firewall (WAF) logs for XSS payload patterns targeting the MaxKB chat endpoint
• Review application logs for requests containing suspicious characters commonly used in XSS attacks (e.g., <script>, onerror=, javascript:)
• Conduct regular security scans of user-generated markdown content for malicious payloads

Monitoring Recommendations

• Enable browser-side XSS auditor logging where available to capture blocked injection attempts
• Set up alerts for CSP violation reports indicating attempted script injections
• Monitor user session activity for anomalous behavior that may indicate compromised sessions
• Implement real-time scanning of markdown content submissions for XSS patterns

How to Mitigate CVE-2025-15632

Immediate Actions Required

• Upgrade MaxKB to version 2.5.0 or later immediately
• Review recent chat messages and markdown content for potentially malicious payloads
• Consider temporarily restricting markdown rendering functionality if immediate upgrade is not possible
• Notify users to clear their browser sessions and re-authenticate after patching

Patch Information

The vulnerability has been addressed in MaxKB version 2.5.0. The fix implements the XSS plugin from md-editor-v3 along with a proper whitelist configuration using getDefaultWhiteList from the xss library. The security patch is identified by commit hash 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. For detailed patch information, refer to the GitHub Pull Request and GitHub Release v2.5.0.

Workarounds

• Implement a web application firewall (WAF) rule to filter common XSS payloads targeting the chat endpoint
• Add Content Security Policy headers to restrict inline script execution: script-src 'self'
• Temporarily disable the markdown preview feature until the patch can be applied
• Restrict access to the chat functionality to trusted users only

# Example nginx configuration for CSP headers as a temporary mitigation
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;