Liqiang

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.0 **Description** An authenticated user with tool-editing permissions can bypass sandbox network protection to reach internal services that are explicitly blocked by the banned hosts configuration. The sandbox utilizes LD PRELOAD to hook the `connect()` function to block connections to banned IPs. However, using `socket.sendto()` with the `MSG FASTOPEN` flag allows TCP connections to be established directly through the kernel without calling `connect()`, thereby bypassing IP validation. While `sendto` is included in the `syscall()` wrapper, it remains ineffective because glibc invokes the kernel syscall directly instead of routing through the hooked `syscall()` function. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.0 **Description** A sandbox escape exists in the ToolExecutor component. An authenticated attacker with workspace privileges can bypass the LD PRELOAD-based sandbox.so module by using the Python ctypes library to execute raw system calls. This allows for arbitrary code execution via direct kernel system calls, which can lead to container compromise and full network exfiltration. The sandbox.so module intercepts standard system functions such as 'execve', 'system', 'connect', and 'open', as well as 'mprotect' to prevent PROT EXEC (executable memory) allocations, but it fails to block 'pkey mprotect'. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.0 **Description** A Stored Cross-Site Scripting (XSS) issue exists where the frontend `MdRenderer.vue` component parses custom `<iframe render>` tags from LLM responses or Application Prologue configurations. This process bypasses standard Markdown sanitization and XSS filtering. The unsanitized HTML content is then passed to the `IframeRender.vue` component, which renders it directly into an `<iframe>` via the `srcdoc` attribute configured with `sandbox="allow-scripts allow-same-origin"`. This allows injected scripts to escape the iframe and execute JavaScript in the parent window using `window.parent`. Because the Prologue is rendered for any user visiting an application chat interface, this can lead to session hijacking, unauthorized actions, and sensitive data exposure. **Recommendations** Update to version 2.8.0.