VulnerableCode Package Details - pkg:pypi/openchatbi@0.2.2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/openchatbi@0.2.2

Essentials
History (1)

purl	pkg:pypi/openchatbi@0.2.2

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-x4tk-nyre-1ya8	OpenChatBI has a Path Traversal Vulnerability in save_report Tool The `save_report` tool in `openchatbi/tool/save_report.py` suffers from a critical path traversal vulnerability due to insufficient input sanitization of the `file_format` parameter. The function only removes leading dots of `file_format` using `file_format.lstrip(".")` but allows path traversal sequences like `/../../` to pass through unchanged. When the filename is constructed via string concatenation in f"{timestamp}_{clean_title}.{file_format}" malicious path sequences are preserved, enabling attackers to write files outside the designated report directory. An attacker can manipulate the LLM to call the tool with a specific `file_format` to overwrite critical system files like `__init__.py`, potentially leading to remote code execution.	CVE-2026-28795 GHSA-vmwq-8g8c-jm79

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:51:03.366661+00:00	GitLab Importer	Fixing	VCID-x4tk-nyre-1ya8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/openchatbi/CVE-2026-28795.yml	38.6.0