CVE-2026-39424

MEDIUM EPSS 28.6%
Published Apr 14, 20262mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Apr 14, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
28.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-1236

Affected Products 1

VendorProductVersionRange
maxkbmaxkb* <2.8.0

References 3

  • github.com https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f726eed828e2ac801827a2a70536f
    Patch
  • github.com https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
    Release Notes
  • github.com https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-rr4r-7cj2-29vp
    Vendor Advisory

Remediation

  • github.com https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f726eed828e2ac801827a2a70536f
    Patch