216.73.216.133

CVE-2026-39424

· Published 14/04/2026 01:16 · Modified 14/04/2026 01:16

Labels: CVE-2026-39424 2026-04-14CVE-2026-39424CWE-1236[email protected]

Essential information

Published
14/04/2026 01:16
Modified
14/04/2026 01:16
Author
Creator
CVSS
5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
maxkb / maxkb cpe:2.3:a:maxkb:maxkb:<2.8.0:*:*:*:*:*:*:*

References