{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-30T15:30:28.325","vulnerabilities":[{"cve":{"id":"CVE-2025-53927","sourceIdentifier":"security-advisories@github.com","published":"2025-07-17T14:15:32.403","lastModified":"2025-08-02T01:34:28.363","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue."},{"lang":"es","value":"MaxKB es un asistente de IA de código abierto para empresas. Antes de la versión 2.0.0, las reglas de diseño de la sandbox no se podían eludir, ya que MaxKB solo restringía los permisos de ejecución de los archivos en un directorio específico. Por lo tanto, un atacante podía usar el método `shutil.copy2` en Python para copiar el comando que desea ejecutar al directorio ejecutable. Esto elude las restricciones de directorio y el shell inverso. La versión 2.0.0 soluciona este problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.2,"impactScore":3.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.0,"impactScore":3.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:maxkb:maxkb:*:*:*:*:lts:*:*:*","versionEndExcluding":"2.0.0","matchCriteriaId":"2F17581A-45A6-42F7-99F1-5F37BCCA13F3"}]}]}],"references":[{"url":"https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}