Lucene search
K

229 matches found

CVE
CVE
added 2026/05/26 8:14 p.m.27 views

CVE-2026-45412

MaxKB (enterprise AI) is affected by SSRF in the work_flow_template component prior to version 2.9.1. An authenticated user could supply arbitrary URLs to work_flow_template.downloadUrl, and the server would fetch them without URL validation or internal IP filtering, enabling server-side requests...

6.3CVSS5.9AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 8:14 p.m.16 views

EUVD-2026-31985

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...

6.3CVSS5.9AI score0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/05/26 8:12 p.m.31 views

CVE-2026-45413

MaxKB (open‑source enterprise AI assistant) prior to version 2.9.1 stores user passwords with unsalted MD5 hashes, enabling trivial cracking via rainbow tables or GPU-based brute force. The issue is fixed in 2.9.1. Rate of exploitation and in‑the‑wild impact are not detailed in the provided docum...

6.9CVSS5.8AI score0.00083EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/26 8:12 p.m.11 views

CVE-2026-45413 MaxKB: Unsalted MD5 Password Hashing

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...

6.9CVSS5.8AI score0.00083EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:12 p.m.37 views

CVE-2026-45413 MaxKB: Unsalted MD5 Password Hashing

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...

6.9CVSS0.00083EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:9 p.m.35 views

CVE-2026-42335 MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS0.00232EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 8:9 p.m.14 views

CVE-2026-42335

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS5.8AI score0.00232EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/26 8:9 p.m.26 views

CVE-2026-42335

MaxKB (open-source AI assistant for enterprise) prior to 2.8.1 is vulnerable to an SSRF bypass in the OSS file service URL fetch endpoint (chat/api/oss/get_url). The issue stems from inconsistent URL parsing between the urlparse validation function and the requests HTTP client, enabling an attack...

6.3CVSS5.8AI score0.00232EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 8:9 p.m.14 views

EUVD-2026-31983

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS5.8AI score0.00232EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.17 views

PT-2026-43404

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/trigger id is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.9 views

MaxKB 代码问题漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.8.0 contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing bypass vulnerability in the OSS file service URL...

5.1CVSS5.9AI score0.00187EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.13 views

MaxKB 安全漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.9.1 contained a security vulnerability. This vulnerability stemmed from the use of unaltered MD5 hash storage for user passwords, which could make the...

6.9CVSS5.8AI score0.00083EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.12 views

MaxKB 访问控制错误漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Prior to MaxKB 2.9.0, there was an access control vulnerability. This vulnerability stemmed from the Webhook trigger endpoint/api/trigger/v1/webhook/triggerid, which allowed access...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.14 views

MaxKB 安全漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.8.0 contained security vulnerabilities. These vulnerabilities stemmed from access control flaws in the API for retrieving OSS file service URLs, which...

5.3CVSS5.9AI score0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.15 views

PT-2026-43398

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.1 Description Broken access control exists in the OSS file service URL fetch API endpoint "chat/api/oss/get url". The system uses the application id variable from the URL path without validating ownership, which...

5.3CVSS5.8AI score0.00207EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.14 views

MaxKB 代码问题漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.9.1 contained code vulnerabilities. These vulnerabilities stemmed from the work-flowtemplate import feature, where authenticated users could provide...

6.3CVSS6AI score0.00207EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.12 views

MaxKB 代码问题漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.8.1 contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the OSS file service URL retrieval...

6.3CVSS5.9AI score0.00232EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.8 views

CVE-2026-39420

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

7.4CVSS6.3AI score0.00485EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.5 views

CVE-2026-39426

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

5.4CVSS5.8AI score0.00193EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.7 views

CVE-2026-39424

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

5.3CVSS5.8AI score0.00368EPSS
Exploits0References1
Rows per page
Query Builder