Vulnerabilities ›

CVE-2026-6108

Medium

CWE-77 — Weakness Type

                    Published: Apr 12, 2026                      ·  Modified: Apr 14, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

🤖 AI Executive Summary

A remote OS command injection vulnerability exists in 1Panel-dev MaxKB up to version 2.6.1 within the Model Context Protocol Node component. Attackers can manipulate the execute function to inject arbitrary operating system commands.

📄 Description (Arabic)

ثغرة حقن أوامر نظام التشغيل في مكون Model Context Protocol Node بـ 1Panel-dev MaxKB تسمح للمهاجمين بتنفيذ أوامر نظام تشغيل عشوائية عن بعد. تم الكشف عن الاستغلال علناً والبائع قد أصدر إصلاحاً سريعاً.

🤖 ملخص تنفيذي (AI)

تم اكتشاف ثغرة حقن أوامر نظام التشغيل البعيدة في 1Panel-dev MaxKB حتى الإصدار 2.6.1 في مكون Model Context Protocol Node. يمكن للمهاجمين التلاعب بوظيفة execute لحقن أوامر نظام تشغيل عشوائية.

🤖 AI Intelligence Analysis Analyzed: May 19, 2026 07:07

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government telecom banking healthcare

🎯 MITRE ATT&CK Techniques

T1059.004 T1190 T1203

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade 1Panel-dev MaxKB to version 2.6.2 or later. If immediate patching is not possible, restrict network access to the affected component and implement input validation and sanitization for all user-supplied data passed to the execute function.

🔧 خطوات المعالجة (العربية)

قم بترقية 1Panel-dev MaxKB فوراً إلى الإصدار 2.6.2 أو أحدث. إذا لم يكن الترقيع الفوري ممكناً، قيد الوصول إلى الشبكة للمكون المتأثر وطبق التحقق من صحة المدخلات وتنظيفها لجميع البيانات المزودة من قبل المستخدم.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1 A.12.2.1 A.12.6.1

🔵 SAMA CSF

ID.RA-1 PR.IP-1 PR.IP-12 DE.CM-1

🟡 ISO 27001:2022

A.12.2.1 A.12.6.1 A.14.2.1

🔗 References & Sources 4

🔗

https://github.com/AnalogyC0de/public_exp/issues/30

cna@vuldb.com

🔗

https://vuldb.com/submit/782279

cna@vuldb.com

🔗

https://vuldb.com/vuln/356968

cna@vuldb.com

🔗

https://vuldb.com/vuln/356968/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-77

EPSS0.34%

Exploit No

Patch ✗ No

Published 2026-04-12

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-77

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-6108

💬 Comments

Introduce Yourself

Sign In Required