CVE-2025-10433

MEDIUM

1Panel-dev MaxKB <2.0.2/2.1.0 - Deserialization

Title source: llm

Description

A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. This issue affects some unknown processing of the file /admin/api/workspace/default/tool/debug. Executing manipulation of the argument code can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.1 is capable of addressing this issue. It is suggested to upgrade the affected component.

References (5)

Core 5

Core References

Release Notes patch

https://github.com/1Panel-dev/MaxKB/releases/tag/v2.1.1

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.323867

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.323867

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.647589

Various Sources exploit

https://zealous-brand-b4a.notion.site/MaxKB-2-1-0-tool-debug-RCE-2647244a828c80e7850dc6503061b88b

Scores

CVSS v3 6.3

EPSS 0.0029

EPSS Percentile 20.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-502

Status published

Products (6)

1Panel-dev/MaxKB 2.0

1Panel-dev/MaxKB 2.0.0

1Panel-dev/MaxKB 2.0.1

1Panel-dev/MaxKB 2.0.2

1Panel-dev/MaxKB 2.1.0

1Panel-dev/MaxKB 2.1.1

Published Sep 15, 2025

Tracked Since Feb 18, 2026