anonhaven
Ad

CVE-2026-39424

MEDIUM CVSS 4.0: 5.3 EPSS 0.07%
Updated Apr 17, 2026
Microsoft
Parameter Value
CVSS 5.3 (MEDIUM)
Fixed In 2.8.0
Type CWE-1236
Vendor Microsoft
Public PoC No

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization.

Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-1236

References 3

https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f726eed828e2ac801827a2a70…
security-advisories@github.com
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
security-advisories@github.com
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-rr4r-7cj2-29vp
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-23772

Microsoft

7.3

CVE-2026-4682

Microsoft

8.7

CVE-2026-33825

Microsoft

7.8

CVE-2026-33822

Microsoft

6.1

CVE-2026-33115

Microsoft

8.4