RCE in 1panel-dev Maxkb

CVE-2026-39423

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitr…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

1panel-dev Maxkb — versions < 2.8.0

Weakness classification (CWE)

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-462x-99gf-mp79 (x_refsource_CONFIRM)
https://github.com/1Panel-dev/MaxKB/commit/34fb95bde9574c5b3a734ab00c7f29b9e7d32669 (x_refsource_MISC)
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0 (x_refsource_MISC)