Platform
python
Component
1panel-dev-maxkb
Fixed in
2.6.1
2.6.2
CVE-2026-6108 is a Command Injection vulnerability identified in 1Panel-dev MaxKB versions 2.6.0 through 2.6.1. This flaw allows attackers to execute arbitrary operating system commands on the affected system, potentially leading to unauthorized access and control. The vulnerability resides within the 'execute' function of the 'basemcpnode.py' file. A fixed version, 2.6.2, has been released to address this issue.
A command injection vulnerability (CVE-2026-6108) has been identified in 1Panel-dev MaxKB versions up to 2.6.1. This vulnerability resides within the 'execute' function of the file 'apps/application/flow/stepnode/mcpnode/impl/basemcpnode.py' in the Model Context Protocol Node component. A remote attacker can exploit this flaw by manipulating input to this function, allowing them to execute arbitrary operating system commands on the underlying server. The CVSS score for this vulnerability is 6.3, indicating a moderate to high risk. The public availability of an exploit significantly increases the risk, as it facilitates identification and use by malicious actors. Exposure to this vulnerability could result in system compromise, data theft, or service disruption.
CVE-2026-6108 allows for remote code execution (RCE) through operating system command injection. An attacker can exploit the 'execute' function in 'basemcpnode.py' to inject malicious commands that will be executed with the process's privileges. The public availability of an exploit facilitates the exploitation of this vulnerability, increasing the risk of attacks. Thorough review of system logs is recommended to identify potential exploitation attempts. The remote nature of the exploitation means attackers can attempt to exploit the vulnerability from any location with network access to where 1Panel-dev MaxKB is running.
Exploit Status
EPSS
0.34% (57% percentile)
CISA SSVC
The recommended mitigation for this vulnerability is to immediately upgrade 1Panel-dev MaxKB to version 2.6.2 or later. This version includes a fix that addresses the command injection vulnerability. While performing the upgrade, consider implementing additional security measures such as restricting application access, strengthening firewall configurations, and monitoring system activity for signs of compromise. The vendor, 1Panel-dev, has been notified of the vulnerability and has responded professionally, providing an update to resolve the issue. Prompt application of the update is crucial to protect your system from potential attacks.
Actualice el componente MaxKB a la versión 2.6.2 o superior para mitigar la vulnerabilidad de inyección de comandos del sistema operativo. La actualización corrige la falla en el manejo de comandos del sistema, previniendo la ejecución no autorizada de código.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability that allows an attacker to execute arbitrary commands on the underlying operating system.
It's a unique identifier for this vulnerability, used to track and reference it.
Version 2.6.2 contains a fix for the operating system command injection vulnerability.
Implement additional security measures, such as restricting access and strengthening the firewall.
Contact the vendor, 1Panel-dev, directly for technical support.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.