VYPR

Sqlbot

by Dataease

Source repositories

CVEs (8)

  • CVE-2026-33324HigMay 5, 2026
    risk 0.57cvss 8.8epss 0.01

    SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering…

  • CVE-2025-15597MedMar 2, 2026
    risk 0.34cvss 6.3epss 0.01

    A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The…

  • CVE-2026-5417MedApr 2, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The…

  • CVE-2025-15598LowMar 3, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The…

  • CVE-2026-32950Mar 20, 2026
    risk 0.00cvss epss 0.01

    SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution (RCE), allowing any authenticated user…

  • CVE-2026-32949Mar 20, 2026
    risk 0.00cvss epss 0.00

    SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server. An attacker can…

  • CVE-2026-32622Mar 19, 2026
    risk 0.00cvss epss 0.01

    SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload…

  • CVE-2025-69285Jan 21, 2026
    risk 0.00cvss epss 0.00

    SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV…