Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection
Vulnerability Description
A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
MaxKB 操作系统命令注入漏洞
Vulnerability Description
MaxKB是1Panel-dev开源的一款基于大语言模型和 RAG 的开源知识库问答系统。 MaxKB 2.6.1及之前版本存在操作系统命令注入漏洞,该漏洞源于Model Context Protocol Node组件中文件apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py的execute函数存在os命令注入,可能导致远程执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A