Maxkb
Monthly
Authenticated SSRF bypass in MaxKB's OSS file service URL fetch allows low-privilege users to reach internal network services by exploiting inconsistent DNS resolution between validation and request execution. MaxKB 2.8.0 and all prior versions are affected; the attacker causes the validation step to resolve a domain to a public IP, then swaps the DNS record so the actual HTTP fetch resolves to an internal address, bypassing the SSRF filter entirely. No public exploit has been identified and this CVE is not listed in CISA KEV; a vendor-released patch (2.8.1) is available.
Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to cross-application data access by authenticated low-privilege users who supply arbitrary `application_id` values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.
Server-Side Request Forgery in MaxKB before 2.9.1 allows authenticated users to pivot into internal network infrastructure by supplying arbitrary URLs to the work_flow_template import endpoint. The server fetches attacker-controlled URLs without validation or internal IP filtering, enabling reconnaissance of internal services, cloud metadata endpoints, or other resources unreachable from the public internet. The CVSS 4.0 score of 6.3 is driven primarily by high subsequent-system confidentiality impact (SC:H), reflecting the lateral reach into backend infrastructure that SSRF typically enables. No public exploit code or active exploitation has been identified at time of analysis.
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all user credentials to trivial offline cracking upon any database compromise. All versions prior to 2.9.1 are affected (CPE: cpe:2.3:a:1panel-dev:maxkb). The CVSS 4.0 vector (AV:L/VC:H) confirms that while local or database-level access is a prerequisite, once hashes are obtained, full credential recovery is practically guaranteed using rainbow tables or GPU-accelerated tools such as hashcat - no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal network services by exploiting an URL parsing inconsistency at the OSS file fetch endpoint. The discrepancy between Python's urlparse validation logic and the requests HTTP client means a crafted URL can pass security checks yet still route to internal infrastructure when executed by the server. No public exploit or KEV listing exists at time of analysis; the vendor has confirmed and patched the issue in 2.8.1.
Stored Cross-Site Scripting in MaxKB's MdRenderer component allows authenticated users to inject malicious scripts via custom <iframe_render> tags in LLM responses or Application Prologue configurations, leading to JavaScript execution in the parent window context with access to session tokens and sensitive data. MaxKB versions 2.7.1 and earlier are affected; the vulnerability is fixed in version 2.8.0. The attack requires user interaction (UI:P) but impacts all visitors to an affected application's chat interface, making it a high-impact stored XSS despite the moderate CVSS 5.1 score.
Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the Application prologue field via <html_rander> tags, which the backend stores unsanitized and the frontend renders with innerHTML-equivalent mechanisms. Exploitation enables session hijacking, unauthorized workspace/application deletion, and sensitive data exposure against any visitor accessing the affected chatbot. Fixed in version 2.8.0.
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to execute arbitrary JavaScript in other users' browsers, including administrators. MaxKB versions 2.7.1 and below are affected. The vulnerability requires user interaction (UI:P) and low privileges (PR:L) to exploit, but delivers high integrity impact (VI:H) to victim sessions. A vendor-released patch is available in version 2.8.0.
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript through application name or icon fields, which is then executed in victims' browsers when accessing the public chat interface. The vulnerability stems from unsanitized data insertion into HTML responses by ChatHeadersMiddleware, enabling arbitrary code execution with user interaction. MaxKB 2.8.0 has released a patch to fix this issue.
Remote code execution in MaxKB workflow engine (versions 2.7.1 and below) allows authenticated users to bypass an incomplete CVE-2025-53928 fix by injecting arbitrary MCP node configurations through the workflow creation API. An attacker with low-privilege credentials can omit the mcp_source field to trigger the unpatched else branch, inject stdio transport with arbitrary commands, and achieve RCE when the workflow is executed via chat interaction. This represents an incomplete remediation of a prior vulnerability-the patch restricted one code path but left an alternative execution path fully exposed.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.
OS command injection in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to execute arbitrary operating system commands through manipulation of the Model Context Protocol Node's execute function in base_mcp_node.py, with publicly available exploit code and vendor-released patches available for remediation.
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. Vendor-released patch version 2.8.0 addresses this issue.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.
MaxKB is an open-source AI assistant for enterprise. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB is an open-source AI assistant for enterprise. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in common system directories (/bin, /usr/bin, etc.), allowing local attackers with low privileges to execute arbitrary code via executable files in non-blacklisted directories and achieve full system compromise. The vulnerability affects enterprise AI assistant deployments and has a high CVSS score of 8.8 reflecting significant impact potential; exploitation requires local access but no user interaction.
A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MaxKB (Max Knowledge Base) is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Authenticated SSRF bypass in MaxKB's OSS file service URL fetch allows low-privilege users to reach internal network services by exploiting inconsistent DNS resolution between validation and request execution. MaxKB 2.8.0 and all prior versions are affected; the attacker causes the validation step to resolve a domain to a public IP, then swaps the DNS record so the actual HTTP fetch resolves to an internal address, bypassing the SSRF filter entirely. No public exploit has been identified and this CVE is not listed in CISA KEV; a vendor-released patch (2.8.1) is available.
Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to cross-application data access by authenticated low-privilege users who supply arbitrary `application_id` values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.
Server-Side Request Forgery in MaxKB before 2.9.1 allows authenticated users to pivot into internal network infrastructure by supplying arbitrary URLs to the work_flow_template import endpoint. The server fetches attacker-controlled URLs without validation or internal IP filtering, enabling reconnaissance of internal services, cloud metadata endpoints, or other resources unreachable from the public internet. The CVSS 4.0 score of 6.3 is driven primarily by high subsequent-system confidentiality impact (SC:H), reflecting the lateral reach into backend infrastructure that SSRF typically enables. No public exploit code or active exploitation has been identified at time of analysis.
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all user credentials to trivial offline cracking upon any database compromise. All versions prior to 2.9.1 are affected (CPE: cpe:2.3:a:1panel-dev:maxkb). The CVSS 4.0 vector (AV:L/VC:H) confirms that while local or database-level access is a prerequisite, once hashes are obtained, full credential recovery is practically guaranteed using rainbow tables or GPU-accelerated tools such as hashcat - no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal network services by exploiting an URL parsing inconsistency at the OSS file fetch endpoint. The discrepancy between Python's urlparse validation logic and the requests HTTP client means a crafted URL can pass security checks yet still route to internal infrastructure when executed by the server. No public exploit or KEV listing exists at time of analysis; the vendor has confirmed and patched the issue in 2.8.1.
Stored Cross-Site Scripting in MaxKB's MdRenderer component allows authenticated users to inject malicious scripts via custom <iframe_render> tags in LLM responses or Application Prologue configurations, leading to JavaScript execution in the parent window context with access to session tokens and sensitive data. MaxKB versions 2.7.1 and earlier are affected; the vulnerability is fixed in version 2.8.0. The attack requires user interaction (UI:P) but impacts all visitors to an affected application's chat interface, making it a high-impact stored XSS despite the moderate CVSS 5.1 score.
Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the Application prologue field via <html_rander> tags, which the backend stores unsanitized and the frontend renders with innerHTML-equivalent mechanisms. Exploitation enables session hijacking, unauthorized workspace/application deletion, and sensitive data exposure against any visitor accessing the affected chatbot. Fixed in version 2.8.0.
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to execute arbitrary JavaScript in other users' browsers, including administrators. MaxKB versions 2.7.1 and below are affected. The vulnerability requires user interaction (UI:P) and low privileges (PR:L) to exploit, but delivers high integrity impact (VI:H) to victim sessions. A vendor-released patch is available in version 2.8.0.
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript through application name or icon fields, which is then executed in victims' browsers when accessing the public chat interface. The vulnerability stems from unsanitized data insertion into HTML responses by ChatHeadersMiddleware, enabling arbitrary code execution with user interaction. MaxKB 2.8.0 has released a patch to fix this issue.
Remote code execution in MaxKB workflow engine (versions 2.7.1 and below) allows authenticated users to bypass an incomplete CVE-2025-53928 fix by injecting arbitrary MCP node configurations through the workflow creation API. An attacker with low-privilege credentials can omit the mcp_source field to trigger the unpatched else branch, inject stdio transport with arbitrary commands, and achieve RCE when the workflow is executed via chat interaction. This represents an incomplete remediation of a prior vulnerability-the patch restricted one code path but left an alternative execution path fully exposed.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.
OS command injection in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to execute arbitrary operating system commands through manipulation of the Model Context Protocol Node's execute function in base_mcp_node.py, with publicly available exploit code and vendor-released patches available for remediation.
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. Vendor-released patch version 2.8.0 addresses this issue.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.
MaxKB is an open-source AI assistant for enterprise. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB is an open-source AI assistant for enterprise. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in common system directories (/bin, /usr/bin, etc.), allowing local attackers with low privileges to execute arbitrary code via executable files in non-blacklisted directories and achieve full system compromise. The vulnerability affects enterprise AI assistant deployments and has a high CVSS score of 8.8 reflecting significant impact potential; exploitation requires local access but no user interaction.
A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MaxKB (Max Knowledge Base) is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.