# MaxKB Stored XSS Vulnerability Summary ## Vulnerability Overview MaxKB has a stored cross-site scripting (XSS) vulnerability. Authenticated users with dataset management permissions can inject malicious HTML/Markdown content when creating paragraphs. Since the application does not sanitize the content, it is directly stored in the database and rendered on the frontend via the `MdPreview` component of `md-editor-v3`, allowing attackers to inject malicious JavaScript code that executes when other users (including administrators) view the paragraph or its details. ## Impact Scope * **Project**: MaxKB * **Affected Versions**: ``` **Proof of Concept:** ```http POST /api/workspace/{workspace_id}/knowledge/{knowledge_id}/document/{document_id}/paragraph HTTP/1.1 Host: target.com Authorization: Bearer Content-Type: application/json { "content": "", "title": "XSS Payload" } ```