CVE-2026-56779
published 2026-06-25CVE-2026-56779: MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make…
PriorityP339medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.17%
6.8th percentile
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 1panel-dev | maxkb | < 2.10.0 | 2.10.0 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
1Panel-dev MaxKB up to 2.9.x ToolSerializer Endpoint download_url server-side request forgery (Issue 6272)
vuldb·2026-06-26·CVSS 6.4
CVE-2026-56779 [MEDIUM] 1Panel-dev MaxKB up to 2.9.x ToolSerializer Endpoint download_url server-side request forgery (Issue 6272)
A vulnerability, which was classified as critical, has been found in 1Panel-dev MaxKB up to 2.9.x. This vulnerability affects unknown code of the component ToolSerializer Endpoint. Performing a manipulation of the argument download_url results in server-side request forgery.
This vulnerability is known as CVE-2026-56779. Remote exploitation of the attack is possible. No exploit is available.
It is advisable to upgrade the affected component.
GHSA
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidate
ghsa_unreviewed·2026-06-25
CVE-2026-56779 [MEDIUM] CWE-918 MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidate
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published