13 matches found
PYSEC-2026-325 DB-GPT is vulnerable to SQL Injection attacks from unauthenticated users
In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...
PYSEC-2026-321 DB-GPT vulnerable to Arbitrary File Upload with Path Traversal
In eosphoros-ai/db-gpt version v0.6.0, the web API POST /v1/personal/agent/upload is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file system at any location. The impact of this vulnerability...
PYSEC-2026-322 DB-GPT Arbitrary File Write vulnerability
In eosphoros-ai/db-gpt version v0.6.3 and earlier, the web API POST /api/v1/editor/chart/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim...
Exploit for SQL Injection in Dbgpt Db-Gpt
CVE-2025-51458-exp Pre-Auth SQL Injection in DB-GPThttps:/...
EUVD-2026-13806
A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function moduleplugin.refreshplugins of the file packages/dbgpt-serve/src/dbgptserve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. It is possible ...
CVE-2026-4504
A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. Th...
CVE-2026-4504
A vulnerability (CVE-2026-4504) affects eosphoros-ai db-gpt up to version 0.7.5. The flaw involves unknown code in the /api/v1/editor/ path of the Incomplete Fix component, enabling SQL injection through manipulation. It can be exploited remotely and an exploit has been published. The vendor was ...
DB-GPT SQL注入漏洞
DB-GPT is an open-source development framework for AI-native data applications based on AWEL and proxies, developed by eosphoros. Versions of DB-GPT 0.7.5 and earlier contain a SQL injection vulnerability. This vulnerability stems from unknown code in the /file/api/v1/editor/ section, which may...
DB-GPT 代码注入漏洞
DB-GPT is an open-source development framework for AI-native data applications based on AWEL and proxies, developed by eosphoros. Version 0.7.5 of DB-GPT contains a code injection vulnerability, which stems from operations on components in the file/api/v1/serve/awel/flow/import, potentially leadi...
DB-GPT 代码问题漏洞
DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A code issue vulnerability exists in DB-GPT version v0.6.0, which stems from the web API POST /api/v1/editor/chart/run allows the execution of arbitrary SQL queries, which allows an...
DB-GPT 跨站请求伪造漏洞
DB-GPT is an AWEL and proxy-based AI native data application development framework open-sourced by eosphoros. A cross-site request forgery vulnerability exists in DB-GPT version 0.6.0, which stems from an overly loose configuration of CORSMiddleware used by the uvicorn app, which could lead to a...
DB-GPT 路径遍历漏洞
DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A path traversal vulnerability exists in DB-GPT version 0.6.0, which stems from an arbitrary file write vulnerability in the knowledge API that allows an attacker to write a file to an...
DB-GPT 安全漏洞
DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A security vulnerability exists in DB-GPT version 0.6.0, which stems from an absolute path traversal vulnerability in the file upload endpoint, which allows an attacker to upload any file...