MaxKB versions 2.7.1 and earlier have a vulnerability in the chat export feature accessed via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint. The exported Excel (.xlsx) files contain unsanitized strings starting with formula characters, which can be interpreted by spreadsheet applications like Microsoft Excel as formulas. This improper neutralization of formula elements (CWE-1236) can lead to arbitrary code execution on the administrator's workstation through DDE. The issue is a variant of CVE-2025-4546, which addressed a similar problem in a different part of the application but missed this export functionality. The vulnerability is resolved in MaxKB version 2.8.0.

An attacker who can influence chat content that an administrator exports may cause malicious formulas to be embedded in the exported Excel file. When the administrator opens this file in a vulnerable spreadsheet application, it may trigger arbitrary code execution via DDE, compromising the administrator's workstation. This could lead to unauthorized actions or system compromise on the administrator's machine. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no user interaction, and limited confidentiality, integrity, and availability impacts.

This vulnerability is fixed in MaxKB version 2.8.0. Administrators should upgrade to version 2.8.0 or later to remediate this issue. Until the upgrade is applied, avoid exporting chat histories to Excel files or ensure that exported files are opened in spreadsheet applications with DDE and formula execution disabled. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 2.8.0 as per the description.