{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66419", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-28T23:33:56.367Z", "datePublished": "2025-12-11T21:39:15.361Z", "dateUpdated": "2025-12-18T20:35:44.242Z"}, "containers": {"cna": {"title": "MaxKB vulnerable to privilege escalation through sandbox bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c"}, {"name": "https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7", "tags": ["x_refsource_MISC"], "url": "https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7"}, {"name": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0"}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "< 2.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-11T21:39:15.361Z"}, "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0."}], "source": {"advisory": "GHSA-f9qm-2pxq-fx6c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T20:35:35.131790Z", "id": "CVE-2025-66419", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:35:44.242Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-18T20:35:35.131790Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:35:39.596Z"}}], "cna": {"title": "MaxKB vulnerable to privilege escalation through sandbox bypass", "source": {"advisory": "GHSA-f9qm-2pxq-fx6c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"status": "affected", "version": "< 2.4.0"}]}], "references": [{"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c", "name": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7", "name": "https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0", "name": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-11T21:39:15.361Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66419", "state": "PUBLISHED", "dateUpdated": "2025-12-18T20:35:44.242Z", "dateReserved": "2025-11-28T23:33:56.367Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-11T21:39:15.361Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*", "matchCriteriaId": "E28BF7E2-E3AC-4B21-BE1A-18D1E24691A4", "versionEndExcluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0."}], "id": "CVE-2025-66419", "lastModified": "2025-12-15T18:05:09.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-11T22:15:55.817", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-12-12T08:49:33.783045+00:00", "updated": "2025-12-12T08:49:33.783071+00:00", "vendors": ["1panel", "1panel$PRODUCT$maxkb"]}