Approved changes feed: RSS · Atom

cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor1Panel Dev (f9ba1e7c-5084-57b5-b4d5-d8c0480207c1)
ProductMaxkb (080a2d9b-c26b-5726-9848-d95cda224a90)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-45413 vulnerable 2026-06-08 08:05:11.741212 MaxKB: Unsalted MD5 Password Hashing
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat). This vulnerability is fixed in 2.9.1.
Published: 2026-05-26T20:12:34.805Z
Updated: 2026-05-27T13:22:28.597Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-45412 vulnerable 2026-06-08 08:05:11.741069 MaxKB: Unauthenticated SSRF via Workflow Template Import
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in 2.9.1.
Published: 2026-05-26T20:14:39.702Z
Updated: 2026-05-27T17:27:12.540Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-44847 vulnerable 2026-06-08 08:05:11.329068 MaxKB: Webhook Trigger Authentication Bypass
HIGH (7.5)
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0.
Published: 2026-05-26T20:16:46.794Z
Updated: 2026-06-01T17:09:26.401Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42337 vulnerable 2026-06-08 08:03:16.176701 MaxKB: Broken Access Control in MaxKB OSS URL Fetch API
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.
Published: 2026-05-26T20:19:40.844Z
Updated: 2026-05-27T13:23:02.787Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42336 vulnerable 2026-06-08 08:03:16.176564 MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1.
Published: 2026-05-26T20:22:41.423Z
Updated: 2026-05-27T17:27:41.448Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42335 vulnerable 2026-06-08 08:03:16.176377 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39426 vulnerable 2026-06-08 08:01:16.493353 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39425 vulnerable 2026-06-08 08:01:16.492806 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39424 vulnerable 2026-06-08 08:01:16.492436 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39423 vulnerable 2026-06-08 08:01:16.492021 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39422 vulnerable 2026-06-08 08:01:16.491451 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39421 vulnerable 2026-06-08 08:01:16.491139 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39420 vulnerable 2026-06-08 08:01:16.490720 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39419 vulnerable 2026-06-08 08:01:16.490240 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39418 vulnerable 2026-06-08 08:01:16.484343 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39417 vulnerable 2026-06-08 08:01:16.482882 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-66446 vulnerable 2026-06-08 07:41:18.940419 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-66419 vulnerable 2026-06-08 07:41:18.906721 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-64703 vulnerable 2026-06-08 07:39:20.173773 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-64511 vulnerable 2026-06-08 07:39:19.872502 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-53928 vulnerable 2026-06-08 07:31:15.949993 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-53927 vulnerable 2026-06-08 07:31:15.948084 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-4546 vulnerable 2026-06-08 07:29:16.424363 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-48950 vulnerable 2026-06-08 07:29:12.293848 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32383 vulnerable 2026-06-08 07:18:59.700827 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-10433 vulnerable 2026-06-08 07:02:26.859326 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-56137 vulnerable 2026-06-08 06:54:17.451182 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.