Improper Neutralization of Formula Elements in MaxKB Product by 1Panel
CVE-2026-39424

5.3MEDIUM

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
14 April 2026

What is CVE-2026-39424?

The MaxKB application, an open-source AI assistant designed for enterprise use, contains a vulnerability in its chat export feature. In versions 2.7.1 and earlier, when administrators export chat histories to an Excel file via a specific API endpoint, inputs starting with formula characters are not properly sanitized. This oversight can allow attackers to manipulate data, leading to Arbitrary Code Execution (RCE) on the administrator's system when the file is opened in spreadsheet applications such as Microsoft Excel. This vulnerability represents a variant of the previously identified CVE-2025-4546 and has been resolved in the latest version 2.8.0.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...
x_refsource_CONFIRM
https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f72...
x_refsource_MISC
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.