CVE-2026-39424

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.0

Description The chat export feature fails to properly sanitize strings starting with formula characters when an administrator exports application chat history to an Excel file (.xlsx) via the '/admin/api/workspace/{workspace id}/application/{application id}/chat/export' endpoint. This can lead to Arbitrary Code Execution (RCE) on the administrator workstation through Dynamic Data Exchange (DDE), a protocol that allows applications to share data and execute commands.

Recommendations Update to version 2.8.0.