VulnerableCode Package Details - pkg:pypi/mindsdb@24.9.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1gz1-9n27-p3gf Aliases: CVE-2024-45855 GHSA-fr9q-rgwq-g5r5 PYSEC-2024-85	Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.	There are no reported fixed by versions.
VCID-5k2e-1txt-9uch Aliases: CVE-2024-45852 GHSA-7vhj-pfwv-hx3w PYSEC-2024-82	Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.	There are no reported fixed by versions.
VCID-c9zz-2wmt-t3hj Aliases: CVE-2024-45854 GHSA-7vhh-gfjc-x8rm PYSEC-2024-84	Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.	There are no reported fixed by versions.
VCID-cgk6-21yc-r3ad Aliases: CVE-2024-45853 GHSA-q9r8-89xr-4xv4 PYSEC-2024-83	Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.	There are no reported fixed by versions.
VCID-krac-rtac-2qe5 Aliases: CVE-2026-7711 GHSA-9f6m-65v9-x9g2	MindsDB has an Improper Access Control Issue A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.	26.1.0rc1 Affected by 0 other vulnerabilities.
VCID-qtua-yjhn-nqav Aliases: CVE-2026-27483 GHSA-4894-xqv6-vrfq	MindsDB: Path Traversal in /api/files Leading to Remote Code Execution There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.	25.9.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-stp6-86fa-cubn Aliases: CVE-2026-2531 GHSA-6xw9-2p64-7622 PYSEC-2026-91	A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.	26.0.0rc1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-tbn5-7918-tqg2 Aliases: CVE-2024-45856 GHSA-32fj-r8qw-r8w8	MindsDB Cross-site Scripting vulnerability A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.	There are no reported fixed by versions.
VCID-uab9-6bgh-efct Aliases: CVE-2025-68472 GHSA-qqhf-pm3j-96g7 PYSEC-2026-90	MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.	25.11.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1gz1-9n27-p3gf
Aliases:
CVE-2024-45855
GHSA-fr9q-rgwq-g5r5
PYSEC-2024-85

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.

There are no reported fixed by versions.

VCID-5k2e-1txt-9uch
Aliases:
CVE-2024-45852
GHSA-7vhj-pfwv-hx3w
PYSEC-2024-82

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.

There are no reported fixed by versions.

VCID-c9zz-2wmt-t3hj
Aliases:
CVE-2024-45854
GHSA-7vhh-gfjc-x8rm
PYSEC-2024-84

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.

There are no reported fixed by versions.

VCID-cgk6-21yc-r3ad
Aliases:
CVE-2024-45853
GHSA-q9r8-89xr-4xv4
PYSEC-2024-83

There are no reported fixed by versions.

VCID-krac-rtac-2qe5
Aliases:
CVE-2026-7711
GHSA-9f6m-65v9-x9g2

MindsDB has an Improper Access Control Issue A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

26.1.0rc1
Affected by 0 other vulnerabilities.

VCID-qtua-yjhn-nqav
Aliases:
CVE-2026-27483
GHSA-4894-xqv6-vrfq

MindsDB: Path Traversal in /api/files Leading to Remote Code Execution There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.

25.9.1.1
Affected by 3 other vulnerabilities.

VCID-stp6-86fa-cubn
Aliases:
CVE-2026-2531
GHSA-6xw9-2p64-7622
PYSEC-2026-91

A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.

26.0.0rc1
Affected by 1 other vulnerability.

VCID-tbn5-7918-tqg2
Aliases:
CVE-2024-45856
GHSA-32fj-r8qw-r8w8

MindsDB Cross-site Scripting vulnerability A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.

There are no reported fixed by versions.

VCID-uab9-6bgh-efct
Aliases:
CVE-2025-68472
GHSA-qqhf-pm3j-96g7
PYSEC-2026-90

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.

25.11.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:25:37.191031+00:00	GitLab Importer	Affected by	VCID-krac-rtac-2qe5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2026-7711.yml	38.6.0
2026-06-06T06:57:45.748616+00:00	GitLab Importer	Affected by	VCID-qtua-yjhn-nqav	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2026-27483.yml	38.6.0
2026-06-06T06:52:19.423402+00:00	GitLab Importer	Affected by	VCID-stp6-86fa-cubn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2026-2531.yml	38.6.0
2026-06-06T06:37:31.233868+00:00	GitLab Importer	Affected by	VCID-uab9-6bgh-efct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2025-68472.yml	38.6.0
2026-06-06T05:22:06.993965+00:00	GitLab Importer	Affected by	VCID-5k2e-1txt-9uch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2024-45852.yml	38.6.0
2026-06-06T05:22:06.125556+00:00	GitLab Importer	Affected by	VCID-c9zz-2wmt-t3hj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2024-45854.yml	38.6.0
2026-06-06T05:22:03.414074+00:00	GitLab Importer	Affected by	VCID-tbn5-7918-tqg2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2024-45856.yml	38.6.0
2026-06-06T05:22:00.870160+00:00	GitLab Importer	Affected by	VCID-1gz1-9n27-p3gf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2024-45855.yml	38.6.0
2026-06-06T05:22:00.502837+00:00	GitLab Importer	Affected by	VCID-cgk6-21yc-r3ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2024-45853.yml	38.6.0
2026-06-05T17:04:56.441852+00:00	PyPI Importer	Affected by	VCID-stp6-86fa-cubn	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T17:04:50.032176+00:00	PyPI Importer	Affected by	VCID-uab9-6bgh-efct	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-02T04:23:55.965991+00:00	Pypa Importer	Affected by	VCID-stp6-86fa-cubn	https://github.com/pypa/advisory-database/blob/main/vulns/mindsdb/PYSEC-2026-91.yaml	38.6.0
2026-06-02T04:23:41.357140+00:00	Pypa Importer	Affected by	VCID-uab9-6bgh-efct	https://github.com/pypa/advisory-database/blob/main/vulns/mindsdb/PYSEC-2026-90.yaml	38.6.0