CVE-2025-53927

Medium CVSS: 4.6

MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue.

Vendor

Maxkb

Product

Maxkb

CWE

CWE-94

Yayın Tarihi

2025-07-17 14:15:32

Güncelleme

2025-08-02 01:34:28

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-94 Maxkb MEDIUM Maxkb 2025

Referanslar

https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0 https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4

Benzer Kayıtlar

High

CVE-2025-66419

MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to…

High

CVE-2025-66446

MaxKB is an open-source AI assistant for enterprise. Versions 2.3.1 and below have improper file permissions which allow…

High

CVE-2025-64511

MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can access internal network serv…

Medium

CVE-2025-64703

MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations b…

Medium

CVE-2025-53928

MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution…

Medium

CVE-2025-48950

MaxKB is an open-source AI assistant for enterprise. Prior to version 1.10.8-lts, Sandbox only restricts the execution p…