SSRF in 1panel-dev Maxkb

CVE-2026-42335

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch (chat/api/oss/get_url) endpoint. The vulnerability…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (15.8th percentile) — read the EPSS interpretation.