These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T16:16:32.587Z and has not been modified since then. The MaxKB tool import functionality and MCP referencing mode vulnerability allows an authenticated user to execute arbitrary system commands. This issue is fixed in version 2.10.0-lts. The vulnerability has a CVSS score of 8.8 and is considered [truncated]
CVE-2026-56779 is a server-side request forgery (SSRF) vulnerability in MaxKB, a tool that provides knowledge base management. The vulnerability exists in the tool creation and update endpoints and allows authenticated users with the default workspace USER role to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. This can be exploited to access intern [truncated]
MaxKB, an open-source AI assistant for enterprise environments, stored user passwords using unsalted MD5 hashing prior to version 2.9.1. MD5 is cryptographically broken and unsuitable for password storage; the absence of salting renders password hashes vulnerable to precomputed rainbow table attacks and efficient GPU-accelerated brute force recovery. An attacker with access to the password database—whethe [truncated]
MaxKB versions prior to 2.9.0 contain an authentication bypass vulnerability in the webhook trigger endpoint. The WebhookAuth class unconditionally returns authentication success, allowing unauthenticated attackers with knowledge of a valid trigger ID to invoke webhook triggers and execute bound tasks. The CVSS 3.1 score of 7.5 (HIGH) reflects network attackability, low complexity, no privileges required, [truncated]
A broken access control vulnerability in MaxKB 2.8.0 and prior allows authenticated attackers to access OSS file service URLs belonging to other applications. The `chat/api/oss/get_url` endpoint accepts an `application_id` from the URL path without verifying that the requesting user owns or has permission to access that application. This permits horizontal privilege escalation where an attacker with valid [truncated]
A server-side request forgery (SSRF) vulnerability exists in MaxKB versions 2.8.0 and prior. The flaw resides in the OSS file service URL fetch functionality, where inconsistent DNS resolution between validation and actual request execution creates a TOCTOU (time-of-check to time-of-use) race condition. An attacker with low privileges can exploit this inconsistency to bypass URL validation and access inte [truncated]
CVE-2026-42335 is a server-side request forgery (SSRF) vulnerability in MaxKB, an open-source AI assistant for enterprise environments. The vulnerability affects versions 2.8.0 and prior, with a fix released in version 2.8.1. The flaw resides in the OSS file service URL fetch endpoint (`chat/api/oss/get_url`), where inconsistent URL parsing between the `urlparse` validation function and the `requests` HTT [truncated]