Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

MaxKB — Vulnerabilities & Security Advisories 31

All 31 CVE vulnerabilities found in MaxKB, with AI-generated Chinese analysis, references, and POCs.

This page catalogs common weakness enumerations associated with the open-source enterprise knowledge base product MaxKB. It aggregates security flaw data related to the software’s architecture, including issues in access control, authentication mechanisms, and data handling procedures. The collection focuses on vulnerabilities identified in MaxKB versions ranging from 1.0 to recent releases, capturing critical and high-severity findings that have been publicly disclosed or patched by the vendor. Visitors can utilize this resource to track advisory patterns specific to MaxKB, helping administrators understand the typical attack vectors targeted by threat actors. Users may explore how specific weakness classes, such as broken access control or insecure default configurations, manifest within the product’s codebase or deployment settings. Additionally, the page provides a chronological view of the product’s vulnerability history, allowing teams to assess the evolution of security risks over time. This structured overview aids in prioritizing remediation efforts and configuring environments to mitigate identified weaknesses. By reviewing these aggregated details, security professionals can gain insight into the robustness of MaxKB’s security posture and align their internal hardening strategies with industry best practices. The data supports informed decision-making for both existing users planning upgrades and new adopters evaluating the platform’s safety standards. This summary serves as a technical reference rather than a comprehensive audit of all potential flaws, focusing instead on documented and verified incidents.

Vendor: 1Panel-dev

CVE IDTitleCVSSSeverityPublished
CVE-2026-42336 MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch CWE-367--2026-05-26
CVE-2026-42337 MaxKB: Broken Access Control in MaxKB OSS URL Fetch API CWE-862--2026-05-26
CVE-2026-44847 MaxKB: Webhook Trigger Authentication Bypass CWE-287 7.5 High2026-05-26
CVE-2026-45412 MaxKB: Unauthenticated SSRF via Workflow Template Import CWE-918--2026-05-26
CVE-2026-45413 MaxKB: Unsalted MD5 Password Hashing CWE-328--2026-05-26
CVE-2026-42335 MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy CWE-918--2026-05-26
CVE-2026-39426 MaxKB: Stored XSS via Unsanitized iframe_render Parsing CWE-79 5.4 -2026-04-14
CVE-2026-39425 MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering CWE-80 5.4 -2026-04-14
CVE-2026-39419 MaxKB: Sandbox Result Validation Bypass via Tool Output Spoofing CWE-74 3.1 Low2026-04-14
CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality CWE-1236 7.8 -2026-04-14
CVE-2026-39423 Stored XSS via Eval Injection in EchartsRander Component CWE-79 5.4 -2026-04-14
CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware CWE-79 5.4 -2026-04-14
CVE-2026-39421 MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect CWE-693 6.3 Medium2026-04-14
CVE-2026-39420 MaxKB: Sandbox escape via LD_PRELOAD bypass CWE-693 6.3 Medium2026-04-14
CVE-2026-39418 MaxKB: SSRF via sandbox network hook bypass CWE-918 5.0 Medium2026-04-14
CVE-2026-39417 MaxKB: RCE via MCP stdio command injection in workflow engine CWE-78 4.6 Medium2026-04-14
CVE-2025-15632 1Panel-dev MaxKB MdPreview chat.ts cross site scripting CWE-79 3.5 Low2026-04-13
CVE-2026-6108 1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection CWE-78 6.3 Medium2026-04-12
CVE-2026-6107 1Panel-dev MaxKB ChatHeadersMiddleware chat_headers_middleware.py cross site scripting CWE-79 3.5 Low2026-04-12
CVE-2026-6106 1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting CWE-79 3.5 Low2026-04-11
CVE-2025-66446 MaxKB has a Python sandbox LD_PRELOAD bypass CWE-362 8.8 High2025-12-11
CVE-2025-66419 MaxKB vulnerable to privilege escalation through sandbox bypass CWE-362 8.8 High2025-12-11
CVE-2025-64703 MaxKB has Information Leak in sandbox CWE-200 6.3 Medium2025-11-13
CVE-2025-64511 MaxKB has SSRF in sandbox CWE-918 7.4 High2025-11-13
CVE-2025-10433 1Panel-dev MaxKB debug deserialization CWE-502 6.3 Medium2025-09-15
CVE-2025-53928 MaxKB has RCE in MCP call CWE-94 4.6 Medium2025-07-17
CVE-2025-53927 MaxKB sandbox bypass CWE-94 4.6 Medium2025-07-17
CVE-2025-48950 MaxKB Python Sandbox Bypass in Function Library CWE-276 8.8AIHighAI2025-06-03
CVE-2025-4546 1Panel-dev MaxKB Knowledge Base Module csv injection CWE-1236 4.7 Medium2025-05-11
CVE-2025-32383 MaxKB has a reverse shell vulnerability in function library CWE-94 4.3 Medium2025-04-10

All 31 known CVE vulnerabilities affecting MaxKB with full Chinese analysis, references, and POCs where available.