|
61
|
5.4 |
MEDIUM
Network
|
maxkb
|
maxkb
|
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with…
Update
|
CWE-79
CWE-95
Cross-site Scripting
Eval Injection
|
CVE-2026-39423
|
2026-04-21 02:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
62
|
4.7 |
MEDIUM
Network
|
maxkb
|
maxkb
|
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administr…
Update
|
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
|
CVE-2026-39424
|
2026-04-21 02:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
63
|
3.1 |
LOW
Network
|
maxkb
|
maxkb
|
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python fram…
Update
|
CWE-74
CWE-290
CWE-693
Injection
Authentication Bypass by Spoofing
Protection Mechanism Failure
|
CVE-2026-39419
|
2026-04-21 02:32 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
64
|
5.4 |
MEDIUM
Network
|
maxkb
|
maxkb
|
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and Ja…
Update
|
CWE-80
Basic XSS
|
CVE-2026-39425
|
2026-04-21 02:31 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
65
|
5.4 |
MEDIUM
Network
|
maxkb
|
maxkb
|
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <if…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-39426
|
2026-04-21 02:31 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
66
|
7.3 |
HIGH
Network
|
-
|
-
|
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results i…
New
|
CWE-346
CWE-942
Origin Validation Error
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-6662
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
67
|
- |
|
-
|
-
|
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPActio…
New
|
CWE-125
CWE-191
Out-of-bounds Read
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-5720
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
68
|
8.8 |
HIGH
Network
|
-
|
-
|
KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_ff…
New
|
CWE-122
CWE-190
Heap-based Buffer Overflow
Integer Overflow or Wraparound
|
CVE-2026-41445
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
69
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An at…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40948
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
70
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to a…
New
|
CWE-367
CWE-639
Time-of-check Time-of-use (TOCTOU) Race Condition
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40896
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
