CVE-2025-66419

HIGH

MaxKB <2.4.0 - Privilege Escalation

Title source: llm

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0.

References (3)

[Patch] https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7

View Patch ZIP pw:eip

[Release Notes] https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0

[Vendor Advisory] https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c

Scores

CVSS v3 8.8

EPSS 0.0005

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-362

Status published

Affected Products (1)

maxkb/maxkb < 2.4.0

Timeline

Published Dec 11, 2025

Tracked Since Feb 18, 2026