Approved changes feed: RSS · Atom
cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | 1Panel Dev (f9ba1e7c-5084-57b5-b4d5-d8c0480207c1) |
|---|---|
| Product | Maxkb (080a2d9b-c26b-5726-9848-d95cda224a90) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-45413 |
vulnerable | 2026-06-08 08:05:11.741212 |
MaxKB: Unsalted MD5 Password Hashing
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat). This vulnerability is fixed in 2.9.1.
Published: 2026-05-26T20:12:34.805Z
Updated: 2026-05-27T13:22:28.597Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-45412 |
vulnerable | 2026-06-08 08:05:11.741069 |
MaxKB: Unauthenticated SSRF via Workflow Template Import
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in 2.9.1.
Published: 2026-05-26T20:14:39.702Z
Updated: 2026-05-27T17:27:12.540Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-44847 |
vulnerable | 2026-06-08 08:05:11.329068 |
MaxKB: Webhook Trigger Authentication Bypass
HIGH (7.5)
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0.
Published: 2026-05-26T20:16:46.794Z
Updated: 2026-06-01T17:09:26.401Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-42337 |
vulnerable | 2026-06-08 08:03:16.176701 |
MaxKB: Broken Access Control in MaxKB OSS URL Fetch API
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.
Published: 2026-05-26T20:19:40.844Z
Updated: 2026-05-27T13:23:02.787Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-42336 |
vulnerable | 2026-06-08 08:03:16.176564 |
MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1.
Published: 2026-05-26T20:22:41.423Z
Updated: 2026-05-27T17:27:41.448Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-42335 |
vulnerable | 2026-06-08 08:03:16.176377 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39426 |
vulnerable | 2026-06-08 08:01:16.493353 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39425 |
vulnerable | 2026-06-08 08:01:16.492806 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39424 |
vulnerable | 2026-06-08 08:01:16.492436 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39423 |
vulnerable | 2026-06-08 08:01:16.492021 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39422 |
vulnerable | 2026-06-08 08:01:16.491451 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39421 |
vulnerable | 2026-06-08 08:01:16.491139 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39420 |
vulnerable | 2026-06-08 08:01:16.490720 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39419 |
vulnerable | 2026-06-08 08:01:16.490240 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39418 |
vulnerable | 2026-06-08 08:01:16.484343 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39417 |
vulnerable | 2026-06-08 08:01:16.482882 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-66446 |
vulnerable | 2026-06-08 07:41:18.940419 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-66419 |
vulnerable | 2026-06-08 07:41:18.906721 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-64703 |
vulnerable | 2026-06-08 07:39:20.173773 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-64511 |
vulnerable | 2026-06-08 07:39:19.872502 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-53928 |
vulnerable | 2026-06-08 07:31:15.949993 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-53927 |
vulnerable | 2026-06-08 07:31:15.948084 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4546 |
vulnerable | 2026-06-08 07:29:16.424363 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-48950 |
vulnerable | 2026-06-08 07:29:12.293848 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-32383 |
vulnerable | 2026-06-08 07:18:59.700827 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10433 |
vulnerable | 2026-06-08 07:02:26.859326 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-56137 |
vulnerable | 2026-06-08 06:54:17.451182 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.