SSRF in 1panel-dev Maxkb

CVE-2026-42336

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

EPSS: 0.001 (18.6th percentile) — read the EPSS interpretation.