Lucene search
K

538 matches found

CVE
CVE
added yesterday3 views

CVE-2026-57230

OpenReplay (self-hosted session replay) prior to 1.27.0 is affected by an authenticated SQL injection in the session search and analytics API for enterprise editions with multi-tenancy enabled. The vulnerability arises from building ClickHouse queries by inserting user input into the query string...

5.4CVSS6.1AI score
Exploits0References4
CVE
CVE
added yesterday3 views

CVE-2026-55879

OpenReplay (self-hosted) versions 1.24.0–1.24.x are affected by an unauthenticated stored XSS in the tracking SDK. The SDK accepts custom event names and captured page URLs from any visitor using a public project key and stores data in ClickHouse without output encoding. When rendered in the auth...

9.3CVSS6.1AI score
Exploits0References3
NVD
NVD
added yesterday6 views

CVE-2026-61461

Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the searchbyfulltext method without escaping or parameterization. Attackers can inject malicious SQL throu...

8.8CVSS
Exploits0References5
CVE
CVE
added yesterday11 views

CVE-2026-61461

Summary: CVE-2026-61461 affects Dify before 1.16.0-rc1, where the MyScale vector store backend is vulnerable to SQL injection via the search_by_full_text method due to unsanitized, unparameterized search parameters. This can allow an attacker to read, modify, or delete data in the underlying Clic...

8.8CVSS6.3AI score
Exploits0References5
EUVD
EUVD
added yesterday5 views

EUVD-2026-42973

Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the searchbyfulltext method without escaping or parameterization. Attackers can inject malicious SQL throu...

8.8CVSS6.3AI score
Exploits0References5
Cvelist
Cvelist
added yesterday13 views

CVE-2026-61461 Dify < 1.16.0-rc1 SQL Injection via MyScale Vector Store search_by_full_text

Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the searchbyfulltext method without escaping or parameterization. Attackers can inject malicious SQL throu...

8.8CVSS
Exploits0References5
CVE
CVE
added 2026/06/29 5:22 p.m.20 views

CVE-2026-57955

SigNoz versions up to 0.130.1 are affected by a SQL injection in the alert-history endpoints. The issue arises from unsanitized rule ID interpolation into ClickHouse queries, allowing authenticated attackers to inject URL-encoded quotes via the rule ID path parameter. The consequence is potential...

8.5CVSS6.1AI score0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/29 5:22 p.m.35 views

CVE-2026-57955 SigNoz 0.130.1 - SQL Injection in Alert History Endpoints via Rule ID Parameter

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated...

8.5CVSS0.00235EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 5:22 p.m.7 views

EUVD-2026-40140

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated...

8.5CVSS6.1AI score0.00235EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 3:13 a.m.7 views

Malicious code in @mastra/clickhouse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea737d5664a4642538e7e34488a6b0a8df3156828a62e33ada84544a33b214b5 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/06/04 6:39 p.m.7 views

GHSA-WC3V-3457-C8CM OpenMeter: SQL injection through meter creation

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

5.3CVSS6.1AI score0.00036EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/04 6:39 p.m.12 views

OpenMeter: SQL injection through meter creation

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

6.1AI score0.00036EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.29 views

PT-2026-46869

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

5.3CVSS6.1AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.16 views

PT-2026-46897

Name of the Vulnerable Software and Affected Versions OpenMeter affected versions not specified Description An authenticated tenant can perform SQL injection through the valueProperty or groupBy fields of the 'POST /api/v1/meters' endpoint. The issue occurs because the application uses string...

5.3CVSS6.1AI score0.00036EPSS
Exploits0References7
vulnersOsv
vulnersOsv
added 2026/06/01 10:29 a.m.6 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +40 more potentially affected by CVE-2026-41014 via apache-airflow-core (>=3.0.0 <=3.2.1rc3)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-41014 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-17137573...

4.3CVSS5.7AI score0.00352EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 10:29 a.m.6 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +40 more potentially affected by CVE-2026-45360 via apache-airflow-core (>=3.0.0 <=3.2.1rc3)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-45360 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-17137547...

7.3CVSS5.7AI score0.00651EPSS
Exploits0
Snyk
Snyk
added 2026/05/29 7:18 p.m.11 views

SQL Injection

Overview agno is an Agno: a lightweight library for building Multi-Agent Systems Affected versions of this package are vulnerable to SQL Injection via the deletebymetadata function in the clickhouse backend. An attacker can execute unintended SQL commands by supplying malicious metadata keys and...

8.7CVSS6AI score0.00319EPSS
Exploits0References2
NVD
NVD
added 2026/05/29 6:16 p.m.15 views

CVE-2026-10105

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the deletebymetadata method. Attackers can exploit the unsafe f-string interpolation in...

8.7CVSS0.00319EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/29 4:18 p.m.39 views

CVE-2026-10105 agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the deletebymetadata method. Attackers can exploit the unsafe f-string interpolation in...

8.7CVSS0.00319EPSS
Exploits0References5
CVE
CVE
added 2026/05/29 4:18 p.m.27 views

CVE-2026-10105

CVE-2026-10105 affects agno 2.6.5, where the ClickHouse vector database backend exposes a SQL injection via the delete_by_metadata() method. The root cause is unsafe f-string interpolation in clickhousedb.py, enabling attackers to inject arbitrary SQL expressions through malicious metadata keys/v...

8.7CVSS6AI score0.00319EPSS
Exploits0References5
Rows per page
Query Builder