{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6108", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-11T07:35:04.182Z", "datePublished": "2026-04-12T01:00:19.735Z", "dateUpdated": "2026-04-14T14:00:16.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T01:00:19.735Z"}, "title": "1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "2.6.0", "status": "affected"}, {"version": "2.6.1", "status": "affected"}], "cpes": ["cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*"], "modules": ["Model Context Protocol Node"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-11T09:40:31.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ana10gy (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356968", "name": "VDB-356968 | 1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356968/cti", "name": "VDB-356968 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782279", "name": "Submit #782279 | 1Panel-dev MaxKB <= v2.6.1 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/30", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:00:07.416967Z", "id": "CVE-2026-6108", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:00:16.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6108", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:00:07.416967Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:00:12.824Z"}}], "cna": {"title": "1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "Ana10gy (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:*"], "vendor": "1Panel-dev", "modules": ["Model Context Protocol Node"], "product": "MaxKB", "versions": [{"status": "affected", "version": "2.6.0"}, {"status": "affected", "version": "2.6.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-11T09:40:31.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356968", "name": "VDB-356968 | 1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356968/cti", "name": "VDB-356968 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782279", "name": "Submit #782279 | 1Panel-dev MaxKB <= v2.6.1 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/30", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T01:00:19.735Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6108", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:00:16.365Z", "dateReserved": "2026-04-11T07:35:04.182Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-12T01:00:19.735Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "id": "CVE-2026-6108", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-12T01:16:16.807", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/AnalogyC0de/public_exp/issues/30"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782279"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356968"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356968/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.1]"}}], "original": {"product": "MaxKB", "source": "cna", "vendor": "1Panel-dev"}, "product": "maxkb", "vendor": "1panel"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MaxKB", "source": "cna", "vendor": "1Panel-dev"}, "product": "maxkb", "vendor": "maxkb"}], "analysis": {"en": {"generated_at": "2026-04-12T03:21:31.457340+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released patch to upgrade MaxKB to version 2.6.2 or later.", "If immediate upgrade is not possible, isolate the vulnerable component from untrusted external traffic and restrict access to trusted networks.", "Enable audit logging and monitor for unexpected command execution or anomalous processes to detect possible exploitation."], "summary": {"action": "Patch Now", "impact": "Remote OS Command Execution"}, "threat_synthesis": {"affected_systems": "The affected software is 1Panel\u2011dev MaxKB, versions up to and including 2.6.1. The vulnerability exists in the Model Context Protocol Node component of the application and affects no other vendors or versions reported.", "description_and_impact": "A flaw in the execute method of base_mcp_node.py within 1Panel\u2011dev MaxKB allows an attacker to supply crafted input that triggers the execution of arbitrary operating\u2011system commands. This vulnerability enables remote code execution, granting the attacker the ability to compromise the confidentiality, integrity, and availability of the affected host system. The weakness is a command injection (CWE\u201177 and CWE\u201178).", "risk_and_exploitability": "The reported severity rating is moderate, corresponding to a score of 5.3, indicating moderate risk. Exploit probability data is not available. The vulnerability has not been cataloged by CISA's Known Exploited Vulnerabilities program. Information suggests the flaw can be triggered remotely, inferred from the description that manipulation can occur over a network. Successful exploitation requires network access to the vulnerable endpoint and sufficient privileges to execute system commands."}}}}, "created": "2026-04-13T12:41:46.056701+00:00", "updated": "2026-04-13T12:56:28.522329+00:00", "vendors": ["1panel", "1panel$PRODUCT$maxkb", "maxkb", "maxkb$PRODUCT$maxkb"]}