CVE-2024-56137

MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged‌ users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85	Exploit Vendor Advisory
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*

History

01 Aug 2025, 20:15

Type	Values Removed	Values Added
Summary		(es) MaxKB, acrónimo de Max Knowledge Base, es un sistema de preguntas y respuestas de base de conocimiento de código abierto basado en un modelo de lenguaje grande y generación aumentada por recuperación (RAG). Antes de la versión 1.9.0, existía una vulnerabilidad de ejecución remota de comandos en el módulo de la biblioteca de funciones. La vulnerabilidad permitía a los usuarios privilegiados ejecutar comandos del sistema operativo en scripts personalizados. La vulnerabilidad se ha corregido en la versión 1.9.0.
CPE		cpe:2.3:a:maxkb:maxkb:::::-:::*
References	~~() https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85 -~~	() https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85 - Exploit, Vendor Advisory
First Time		Maxkb maxkb Maxkb

02 Jan 2025, 18:15

Type	Values Removed	Values Added
References	~~() https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85 -~~	() https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85 -

02 Jan 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-02 15:15

Updated : 2025-08-01 20:15

NVD link : CVE-2024-56137

Mitre link : CVE-2024-56137

CVE.ORG link : CVE-2024-56137

JSON object : View

Products Affected

maxkb

maxkb

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

6.8 /10