CVE-2025-53928

Description

MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution vulnerability exists in the MCP call. Versions 1.10.9-lts and 2.0.0 fix the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

1Panel-dev / MaxKB< 2.0.0 – < 2.0.0
1Panel-dev / MaxKB< 1.10.9-lts – < 1.10.9-lts

References

VENDOR_ADVISORYhttps://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-38q2-4mm7-qf5h
PATCHhttps://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0