Skip to main content

Microsoft EUVDEUVD-2026-22186

| CVE-2026-39424 MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-04-14 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 20, 2026 - 17:34 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
2.8.0
Analysis Generated
Apr 14, 2026 - 01:22 vuln.today
CVSS changed
Apr 14, 2026 - 01:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 14, 2026 - 01:15 euvd
EUVD-2026-22186
Analysis Generated
Apr 14, 2026 - 01:15 vuln.today
CVE Published
Apr 14, 2026 - 00:56 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0.

AnalysisAI

MaxKB versions 2.7.1 and below allow authenticated administrators to trigger arbitrary code execution on their own workstations through improper CSV formula sanitization in the chat export feature. When exporting chat history to Excel via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, formula strings (e.g., =cmd|'/c calc'!A1) are written unsanitized to the .xlsx file, enabling Dynamic Data Exchange (DDE) exploitation when the file is opened in Microsoft Excel. No public exploit code has been identified, but the vulnerability represents a high-impact attack path for administrators with legitimate export access and is a direct repeat of a previously patched flaw (CVE-2025-4546) that was incompletely remediated across the codebase.

Technical ContextAI

The vulnerability stems from CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), a well-documented attack vector where spreadsheet applications interpret leading characters like '=', '+', '@', and '-' as formula directives. MaxKB's chat export serializer writes user-controlled chat content directly into XLSX cells without stripping or escaping these characters. When Microsoft Excel opens the file, it auto-executes DDE formulas such as '=cmd|'/c powershell [payload]'!A1', which invoke the Windows command processor. This is distinct from macro-based RCE because DDE does not require macro enablement-it executes automatically. The vulnerability affects the MaxKB application (CPE: cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*) in versions up to 2.7.1, indicating a systemic sanitization gap in the export code path. The root cause is incomplete patching; a related sink in dataset serializers (document_serializers.py) was fixed in CVE-2025-4546, but the application chat export sink was overlooked.

RemediationAI

Upgrade MaxKB to version 2.8.0 or later, which includes proper sanitization of formula characters in the chat export serializer. The patch commit (24cd68acae5f726eed828e2ac801827a2a70536f) is available at https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f726eed828e2ac801827a2a70536f. For organizations unable to upgrade immediately, restrict access to the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint to trusted administrators only, and educate administrators to avoid opening exported .xlsx files in Microsoft Excel if they originate from untrusted chat inputs. As an additional precaution, consider disabling DDE in Excel via Group Policy (Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\16.0\Excel\Security' -Name 'DisableDDE' -Value 1) on workstations where admins export files.

Share

EUVD-2026-22186 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy