Mindsdb
Products
1- Mindsdb23 CVEspypi
Recent CVEs
23| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-7712 | Med | 0.41 | 6.3 | 0.00 | May 4, 2026 | A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may… | ||
| CVE-2026-2531 | Med | 0.34 | 6.3 | 0.00 | Feb 16, 2026 | A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed… | ||
| CVE-2026-27483 | 0.00 | — | 0.11 | Feb 24, 2026 | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The… | |||
| CVE-2025-68472 | 0.00 | — | 0.19 | Jan 12, 2026 | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing… | |||
| CVE-2024-45856 | 0.00 | — | 0.00 | Sep 12, 2024 | A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI. | |||
| CVE-2024-45855 | 0.00 | — | 0.00 | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. | |||
| CVE-2024-45854 | 0.00 | — | 0.00 | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. | |||
| CVE-2024-45853 | 0.00 | — | 0.00 | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. | |||
| CVE-2024-45852 | 0.00 | — | 0.01 | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. | |||
| CVE-2024-45851 | 0.00 | — | 0.01 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item… | |||
| CVE-2024-45850 | 0.00 | — | 0.01 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site… | |||
| CVE-2024-45849 | 0.00 | — | 0.01 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list… | |||
| CVE-2024-45848 | 0.00 | — | 0.01 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the… | |||
| CVE-2024-45847 | 0.00 | — | 0.01 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the… | |||
| CVE-2024-45846 | 0.00 | — | 0.02 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with… | |||
| CVE-2024-24759 | 0.00 | — | 0.05 | Sep 5, 2024 | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service.… | |||
| CVE-2024-3575 | 0.00 | — | 0.00 | Apr 16, 2024 | Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb | |||
| CVE-2023-50731 | 0.00 | — | 0.01 | Dec 22, 2023 | MindsDB is a SQL Server for artificial intelligence. Prior to version 23.11.4.1, the `put` method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on… | |||
| CVE-2023-49796 | 0.00 | — | 0.00 | Dec 11, 2023 | MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. | |||
| CVE-2023-49795 | 0.00 | — | 0.00 | Dec 11, 2023 | MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which… |
- risk 0.41cvss 6.3epss 0.00
A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may…
- risk 0.34cvss 6.3epss 0.00
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed…
- CVE-2026-27483Feb 24, 2026risk 0.00cvss —epss 0.11
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The…
- CVE-2025-68472Jan 12, 2026risk 0.00cvss —epss 0.19
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing…
- CVE-2024-45856Sep 12, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.
- CVE-2024-45855Sep 12, 2024risk 0.00cvss —epss 0.00
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.
- CVE-2024-45854Sep 12, 2024risk 0.00cvss —epss 0.00
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
- CVE-2024-45853Sep 12, 2024risk 0.00cvss —epss 0.00
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.
- CVE-2024-45852Sep 12, 2024risk 0.00cvss —epss 0.01
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.
- CVE-2024-45851Sep 12, 2024risk 0.00cvss —epss 0.01
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item…
- CVE-2024-45850Sep 12, 2024risk 0.00cvss —epss 0.01
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site…
- CVE-2024-45849Sep 12, 2024risk 0.00cvss —epss 0.01
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list…
- CVE-2024-45848Sep 12, 2024risk 0.00cvss —epss 0.01
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the…
- CVE-2024-45847Sep 12, 2024risk 0.00cvss —epss 0.01
An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the…
- CVE-2024-45846Sep 12, 2024risk 0.00cvss —epss 0.02
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with…
- CVE-2024-24759Sep 5, 2024risk 0.00cvss —epss 0.05
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service.…
- CVE-2024-3575Apr 16, 2024risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb
- CVE-2023-50731Dec 22, 2023risk 0.00cvss —epss 0.01
MindsDB is a SQL Server for artificial intelligence. Prior to version 23.11.4.1, the `put` method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on…
- CVE-2023-49796Dec 11, 2023risk 0.00cvss —epss 0.00
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.
- CVE-2023-49795Dec 11, 2023risk 0.00cvss —epss 0.00
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which…