CVE-2025-53928 MEDIUM

CVE-2025-53928: MaxKB has RCE in MCP call

Vendor 1Panel-Dev
Product MaxKB
Weakness CWE-94 · Code injection
Published July 17, 2025
Last update July 17, 2025

CVSS base score

4.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution vulnerability exists in the MCP call. Versions 1.10.9-lts and 2.0.0 fix the issue.

Key dates

02Disclosure timeline

July 17, 2025 CVE published
July 17, 2025 Record updated