SSRF in 1panel-dev Maxkb
CVE-2026-45412
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validati…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.
Affected products
- 1panel-dev Maxkb — versions < 2.9.1
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)