10 matches found
CVE-2025-1750
An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llamaindex version v0.12.19. This vulnerability allows an attacker to manipulate the refdocid parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code...
EUVD-2025-16628
Malicious code in bioql PyPI...
The vulnerability of the DuckDBVectorStore class in the LlamaIndex framework for working with large language models allows a hacker to execute arbitrary code.
The vulnerability of the DuckDBVectorStore class in the LlamaIndex framework for working with large language models involves a lack of protection for SQL query structures. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...
CVE-2025-1750
An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llamaindex version v0.12.19. This vulnerability allows an attacker to manipulate the refdocid parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code...
CVE-2025-1750
An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llamaindex version v0.12.19. This vulnerability allows an attacker to manipulate the refdocid parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code...
CVE-2025-1750
CVE-2025-1750 affects run-llama/llama_index v0.12.19, via an SQL injection in the DuckDBVectorStore.delete path that lets an attacker manipulate ref_doc_id to read/write arbitrary server files and potentially achieve remote code execution (RCE). Public analyses corroborate the risk and point to t...
CVE-2025-1750 SQL Injection in run-llama/llama_index
An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llamaindex version v0.12.19. This vulnerability allows an attacker to manipulate the refdocid parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code...
CVE-2025-1750 SQL Injection in run-llama/llama_index
An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llamaindex version v0.12.19. This vulnerability allows an attacker to manipulate the refdocid parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code...
SQL Injection in DuckDBVectorStore via delete can lead to RCE
Description The delete function in DuckDBVectorStore easily attacks SQL when the attack controls the refdocid parameter.This can help attackers read and write arbitrary files on the server and lead to rce. ddbquery = f""" DELETE FROM self.tablename WHERE jsonextractstringmetadata, '$.refdocid' =...
PT-2025-23488 · Run Llama +1 · Llama Index +1
Name of the Vulnerable Software and Affected Versions: run-llama/llama index version v0.12.19 Description: An SQL injection vulnerability exists in the delete function of DuckDBVectorStore. This vulnerability allows an attacker to manipulate the ref doc id parameter, enabling them to read and wri...