265 matches found
CVE-2026-32628 AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...
CVE-2026-32137
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
EUVD-2026-11647
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
CVE-2026-32137
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
CVE-2026-32137
CVE-2026-32137: Dataease prior to 2.10.20 is vulnerable to SQL injection in the /de2api/datasource/previewData endpoint via a directly concatenated tableName parameter. The table name is user-controllable and is not filtered or parameterized, enabling injection into the SQL statement. The issue a...
PT-2026-25034
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
SQL Injection
CocoIndex is vulnerable to SQL Injection. The vulnerability is due to insufficient validation of the configured table name in the Doris target connector, where untrusted input may be used to construct ALTER TABLE SQL statements, allowing attackers to inject malicious SQL during schema changes...
CVE-2026-28438 CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose...
CVE-2026-28438 CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose...
CVE-2026-28438
CVE-2026-28438 affects CocoIndex: Doris target connector before 0.3.34 did not validate the configured table name when constructing ALTER TABLE statements, enabling SQL injection if a table name from an untrusted upstream is used during schema changes. The issue has been patched in version 0.3.34...
SQL Injection
Overview cocoindex is a With CocoIndex, users declare the transformation, CocoIndex creates & maintains an index, and keeps the derived index up to date based on source update, with minimal computation and changes. Affected versions of this package are vulnerable to SQL Injection in the Doris...
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
Impact The Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. Patches Yes, it's fix...
GHSA-59G6-V3VG-F7WC CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
Impact The Doris target connector didn't verify the configured table name before creating some SQL statements ALTER TABLE. So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. Patches Yes, it's fix...
WordPress WP Online Users Stats plugin <= 1.0.0 - Authenticated (Editor+) SQL Injection via table_name Parameter vulnerability
Authenticated Editor+ SQL Injection via tablename Parameter vulnerability discovered by rajanhoyr in WordPress Plugin WP Online Users Stats versions = 1.0.0...
CVE-2025-56401
ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...
EUVD-2025-198805
ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...
CVE-2025-56401
ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...
PT-2025-47926
Name of the Vulnerable Software and Affected Versions ZIRA Group WBRM version 7.0 Description ZIRA Group WBRM version 7.0 is susceptible to a SQL Injection issue occurring in the referenceLookupsByTableNameAndColumnName function. The issue allows for potential manipulation of database queries...
CVE-2025-56401
ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName...
DataEase SQL Injection Vulnerability
DataEase is a set of Java-based development of open source data visualization and analysis tools to help users quickly analyze data and insight into business trends , so as to achieve business improvement and optimization . DataEase /de2api/datasetData/tableField processing tableName parameter...