Shaohuzhang1

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.0 **Description** An Eval Injection issue exists in the Markdown rendering engine. This allows any user who can interact with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including administrators, leading to Stored Cross-Site Scripting (XSS), which is a method of injecting malicious scripts into a trusted website. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** MaxKB versions prior to 2.8.0 **Description** The chat export feature fails to properly sanitize strings starting with formula characters when an administrator exports application chat history to an Excel file (.xlsx) via the '/admin/api/workspace/{workspace id}/application/{application id}/chat/export' endpoint. This can lead to Arbitrary Code Execution (RCE) on the administrator workstation through Dynamic Data Exchange (DDE), a protocol that allows applications to share data and execute commands. **Recommendations** Update to version 2.8.0.