CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32383 – MaxKB has a reverse shell vulnerability in function library
https://notcve.org/view.php?id=CVE-2025-32383
10 Apr 2025 — MaxKB (Max Knowledge Base) is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). A reverse shell vulnerability exists in the module of function library. The vulnerability allow privileged users to create a reverse shell. This vulnerability is fixed in v1.10.4-lts. • https://github.com/1Panel-dev/MaxKB/commit/4ae02c8d3eb65542c88ef58c0abd94c52c949d8f • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56137 – MaxKB RCE vulnerability in function library
https://notcve.org/view.php?id=CVE-2024-56137
02 Jan 2025 — MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0. • https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 56%CPEs: 1EXPL: 0CVE-2024-36111 – KubePi's JWT token validation has a defect
https://notcve.org/view.php?id=CVE-2024-36111
25 Jul 2024 — KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the... • https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-8q5r-cvcw-4wx7 • CWE-1259: Improper Restriction of Security Token Assignment •
CVSS: 10.0EPSS: 50%CPEs: 1EXPL: 0CVE-2024-39911 – 1Panel SQL injection
https://notcve.org/view.php?id=CVE-2024-39911
18 Jul 2024 — 1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability. 1Panel es un panel de control de gestión de servidores Linux basado en web. 1Panel contiene una inyección de SQL no especificada mediante el manejo de User-Agent. Este problema se solucionó en la versión 1.10.12-lts. • https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 31%CPEs: 1EXPL: 0CVE-2024-39907 – a sqlinjection in 1Panel
https://notcve.org/view.php?id=CVE-2024-39907
18 Jul 2024 — 1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues. 1Panel es un panel de control de gestión de servidores Linux basado en web. • https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-34352 – Arbitrary file write vulnerability in 1Panel
https://notcve.org/view.php?id=CVE-2024-34352
09 May 2024 — 1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. Antes de v1.10.3-lts,... • https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30257 – 1Panel's password verification is suspected to have a timing attack vulnerability
https://notcve.org/view.php?id=CVE-2024-30257
18 Apr 2024 — 1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. • https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26 • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27288 – 1Panel open source panel project has an unauthorized vulnerability.
https://notcve.org/view.php?id=CVE-2024-27288
06 Mar 2024 — 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are no known workarounds. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. Antes de la versión 1.10.1-lts, los usuarios podían usar Burp para obtener acceso no autorizado a la página de la consola. • https://github.com/1Panel-dev/1Panel/releases/tag/v1.10.1-lts • CWE-863: Incorrect Authorization •