CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

CVE-2026-39424

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

CVE-2026-39424

MaxKB (1Panel-dev) has a CSV-injection vulnerability in the chat export feature for versions 2.7.1 and earlier. When exporting chat history to .xlsx via /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export, strings beginning with formula characters are written without sani...

CVE-2025-69873

ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax $data reference, which is passed directly to the JavaScript RegExp constructor without...

MiracleLinux 9 : mysql-8.0.41-2.el9_5.ML.1 (AXSA:2025-9701:03)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-9701:03 advisory. openssl: SSLselectnextproto buffer overread CVE-2024-5535 krb5: GSS message token handling CVE-2024-37371 curl: libcurl: ASN.1 date parser overread...

CVE-2021-33323

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user...

CVE-2021-33334

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to vi...

CVE-2022-42131

Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3...

Apache OpenOffice External File Loading Vulnerability

Apache OpenOffice is an open source office software suite from the American Apache Apache Foundation. A security vulnerability exists in Apache OpenOffice, which stems from improper authorization checking, and can be exploited by remote attackers to automatically load external files containing DD...

EUVD-2025-124972

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to...

CVE-2025-64405

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to...

CVE-2025-64405

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to...

CVE-2025-64405 Apache OpenOffice: Remote documents loaded without prompt via DDE function

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to...

CVE-2025-64405 Apache OpenOffice: Remote documents loaded without prompt via DDE function

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to...

CVE-2025-64405

CVE-2025-64405 affects Apache OpenOffice up to version 4.1.15. The issue is a missing authorization check when handling external links, specifically in Calc spreadsheets with DDE links to external files, which could cause the external contents to be loaded without user prompt. The combined set of...

Apache OpenOffice 安全漏洞

Apache OpenOffice is an open source office software suite from the American Apache Apache Foundation. A security vulnerability exists in Apache OpenOffice, which stems from improper authorization checking, and can be exploited by remote attackers to automatically load external files containing DD...

Cross-site Scripting (XSS)

Overview com.liferay:com.liferay.dynamic.data.mapping.item.selector.web is a Liferay Dynamic Data Mapping Item Selector Web Affected versions of this package are vulnerable to Cross-site Scripting XSS via the select structure page when processing user input in the First Name, Middle Name, or Last...

Cross-site Scripting (XSS)

com.liferay, com.liferay.dynamic.data.mapping.form.field.type is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper validation of user-supplied input in rich text type fields within objects, which allows an attacker to inject and execute arbitrary web scripts or HTML...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the definition parameter of the Dynamic Data Mapping portlet. An authenticated attacker can execute arbitrary JavaScript code in the context of a user's browser by crafting a malicious request and tricking a...

CVE-2025-62248

A reflected cross-site scripting XSS vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through...