Lucene search
+L

265 matches found

OSV
OSV
added 2026/03/13 8:50 p.m.4 views

CVE-2026-32628 AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...

7.7CVSS6.2AI score0.00299EPSS
Exploits1References4
NVD
NVD
added 2026/03/12 6:16 p.m.8 views

CVE-2026-32137

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...

9.3CVSS0.00418EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/12 5:53 p.m.7 views

EUVD-2026-11647

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...

9.3CVSS5.8AI score0.00418EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/12 5:53 p.m.5 views

CVE-2026-32137

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...

9.3CVSS5.8AI score0.00418EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/03/12 5:53 p.m.26 views

CVE-2026-32137

CVE-2026-32137: Dataease prior to 2.10.20 is vulnerable to SQL injection in the /de2api/datasource/previewData endpoint via a directly concatenated tableName parameter. The table name is user-controllable and is not filtered or parameterized, enabling injection into the SQL statement. The issue a...

9.3CVSS5.8AI score0.00418EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.9 views

PT-2026-25034

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...

9.3CVSS5.8AI score0.00418EPSS
Exploits1References4
Veracode
Veracode
added 2026/03/07 5:11 a.m.6 views

SQL Injection

CocoIndex is vulnerable to SQL Injection. The vulnerability is due to insufficient validation of the configured table name in the Doris target connector, where untrusted input may be used to construct ALTER TABLE SQL statements, allowing attackers to inject malicious SQL during schema changes...

9.8CVSS5.9AI score0.00282EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/06 6:39 a.m.4 views

CVE-2026-28438 CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements

CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose...

6.9CVSS5.8AI score0.00282EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 6:39 a.m.8 views

CVE-2026-28438 CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements

CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose...

6.9CVSS5.8AI score0.00282EPSS
Exploits0References4
CVE
CVE
added 2026/03/06 6:39 a.m.24 views

CVE-2026-28438

CVE-2026-28438 affects CocoIndex: Doris target connector before 0.3.34 did not validate the configured table name when constructing ALTER TABLE statements, enabling SQL injection if a table name from an untrusted upstream is used during schema changes. The issue has been patched in version 0.3.34...

9.8CVSS5.9AI score0.00282EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/03/02 8:27 p.m.3 views

SQL Injection

Overview cocoindex is a With CocoIndex, users declare the transformation, CocoIndex creates & maintains an index, and keeps the derived index up to date based on source update, with minimal computation and changes. Affected versions of this package are vulnerable to SQL Injection in the Doris...

9.8CVSS6AI score0.00282EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/02 8:27 p.m.11 views

CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements

Impact The Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. Patches Yes, it's fix...

9.8CVSS6AI score0.00282EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/02 8:27 p.m.3 views

GHSA-59G6-V3VG-F7WC CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements

Impact The Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. Patches Yes, it's fix...

9.3CVSS6AI score0.00282EPSS
Exploits0References4
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.11 views

WordPress WP Online Users Stats plugin <= 1.0.0 - Authenticated (Editor+) SQL Injection via table_name Parameter vulnerability

Authenticated Editor+ SQL Injection via tablename Parameter vulnerability discovered by rajanhoyr in WordPress Plugin WP Online Users Stats versions = 1.0.0...

4.9CVSS5.9AI score0.00315EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/25 12:17 a.m.16 views

CVE-2025-56401

ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...

7.6CVSS8AI score0.00223EPSS
Exploits1References1
EUVD
EUVD
added 2025/11/24 6:31 p.m.5 views

EUVD-2025-198805

ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...

7.6CVSS7.5AI score0.00223EPSS
Exploits1References3
OSV
OSV
added 2025/11/24 4:15 p.m.5 views

CVE-2025-56401

ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...

7.6CVSS5.8AI score0.00223EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/11/24 12:0 a.m.6 views

PT-2025-47926

Name of the Vulnerable Software and Affected Versions ZIRA Group WBRM version 7.0 Description ZIRA Group WBRM version 7.0 is susceptible to a SQL Injection issue occurring in the referenceLookupsByTableNameAndColumnName function. The issue allows for potential manipulation of database queries...

7.6CVSS7.2AI score0.00223EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2025/11/24 12:0 a.m.4 views

CVE-2025-56401

ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...

7.6AI score0.00223EPSS
Exploits1References1
CNVD
CNVD
added 2025/10/20 12:0 a.m.4 views

DataEase SQL Injection Vulnerability

DataEase is a set of Java-based development of open source data visualization and analysis tools to help users quickly analyze data and insight into business trends , so as to achieve business improvement and optimization . DataEase /de2api/datasetData/tableField processing tableName parameter...

8.8CVSS8AI score0.00474EPSS
Exploits1References1
Rows per page
Query Builder