CVE-2025-66419

HIGH

MaxKB <2.4.0 - Privilege Escalation

Title source: llm

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0.

References (3)

[Vendor Advisory] https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c

[Patch] https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7

View Patch ZIP pw:eip

[Release Notes] https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 19.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-362

Status published

Products (1)

maxkb/maxkb < 2.4.0

Published Dec 11, 2025

Tracked Since Feb 18, 2026