Lucene search
K

74 matches found

NVD
NVD
added 2026/06/26 3:16 p.m.8 views

CVE-2026-57660

Unauthenticated Broken Access Control in Booking and Rental Manager = 2.7.1 versions...

5.3CVSS0.00176EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/25 8:11 a.m.5 views

WordPress Gravity Bookings plugin <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection vulnerability

Authenticated Subscriber+ Time-Based SQL Injection vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Gravity Forms Bookings premium versions = 2.7.1...

6.5CVSS6AI score0.00241EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/25 3:42 a.m.8 views

EUVD-2026-39167

The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the ‘staffid’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS6AI score0.00241EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.5 views

CVE-2026-39424

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

5.3CVSS5.8AI score0.00368EPSS
Exploits0References1
NVD
NVD
added 2026/04/14 2:16 a.m.20 views

CVE-2026-39419

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged resu...

3.1CVSS0.00222EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/14 12:56 a.m.6 views

CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

5.3CVSS5.8AI score0.00368EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/14 12:28 a.m.4 views

CVE-2026-39423

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including...

6.9CVSS6.1AI score0.00173EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/04/14 12:22 a.m.10 views

EUVD-2026-22182

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...

6.9CVSS6AI score0.00216EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/14 12:22 a.m.29 views

CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...

6.9CVSS0.00216EPSS
Exploits1References3
NVD
NVD
added 2026/04/14 12:16 a.m.5 views

CVE-2026-39417

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path loading MCP config from the...

5.5CVSS0.00243EPSS
Exploits0References3
CVE
CVE
added 2026/04/14 12:13 a.m.9 views

CVE-2026-39420

CVE-2026-39420 (MaxKB) affects MaxKB

7.4CVSS6.3AI score0.00485EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/14 12:3 a.m.36 views

CVE-2026-39417 MaxKB: RCE via MCP stdio command injection in workflow engine

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path loading MCP config from the...

4.6CVSS0.00243EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.9 views

MaxKB 安全漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.7.1 contained a security vulnerability. This vulnerability stemmed from the use of storage-oriented cross-site scripting in the application name or icon...

6.9CVSS5.9AI score0.00216EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.3 views

PT-2026-32564

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path loading MCP config from the...

9.8CVSS6AI score0.00427EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/25 6:49 p.m.2 views

CVE-2026-27602

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS5.9AI score0.00566EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/25 6:49 p.m.21 views

CVE-2026-27602 Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS0.00566EPSS
Exploits1References3
NVD
NVD
added 2026/03/25 5:16 p.m.5 views

CVE-2026-25366

Improper Control of Generation of Code 'Code Injection' vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through = 2.7.1...

9.9CVSS0.00311EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.7 views

PT-2026-28089

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, exec cmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell...

7.2CVSS5.9AI score0.00566EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/03/25 12:0 a.m.9 views

WordPress plugin Woody ad snippets 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...

9.9CVSS5.9AI score0.00311EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/03/23 6:28 p.m.6 views

WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Woody ad snippets versions = 2.7.1...

9.9CVSS5.9AI score0.00311EPSS
Exploits0Affected Software1
Rows per page
Query Builder