CVE-2025-51458

Medium CVSS: 6.5

SQL Injection in editor_sql_run and query_ex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with api_editor_v1.editor_sql_run, editor_chart_run, and datasource.rdbms.base.query_ex.

Vendor

Dbgpt

Product

Db-gpt

CWE

CWE-89

Yayın Tarihi

2025-07-22 20:15:25

Güncelleme

2025-09-11 16:09:07

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-89 Db-gpt MEDIUM Dbgpt 2025

Referanslar

https://github.com/eosphoros-ai/DB-GPT/pull/2650 https://www.gecko.security/blog/cve-2025-51458

Benzer Kayıtlar

Medium

CVE-2025-51459

File Upload vulnerability in agent.hub.controller.refresh_plugins in eosphoros-ai DB-GPT 0.7.0 allows remote attackers t…

Medium

CVE-2025-6772

A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the functi…

High

CVE-2025-0452

eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/up…

Critical

CVE-2024-10902

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Uplo…

High

CVE-2024-10906

In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance…

High

CVE-2024-10829

A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of eosphoros-ai/db-gpt v0…