Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-pnwu-wecn-yqhs
SummarySQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.
Aliases
0
alias CVE-2026-32622
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32622
reference_id
reference_type
scores
0
value 0.00449
scoring_system epss
scoring_elements 0.64144
published_at 2026-06-14T12:55:00Z
1
value 0.00449
scoring_system epss
scoring_elements 0.64031
published_at 2026-06-11T12:55:00Z
2
value 0.00449
scoring_system epss
scoring_elements 0.64134
published_at 2026-06-12T12:55:00Z
3
value 0.00449
scoring_system epss
scoring_elements 0.64147
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32622
1
reference_url https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3
reference_id GHSA-m7q7-vhw9-q7m3
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-24T01:40:07Z/
url https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3
2
reference_url https://github.com/dataease/SQLBot/releases/tag/v1.6.0
reference_id v1.6.0
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-24T01:40:07Z/
url https://github.com/dataease/SQLBot/releases/tag/v1.6.0
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 74
name Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
description The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
2
cwe_id 77
name Improper Neutralization of Special Elements used in a Command ('Command Injection')
description The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
3
cwe_id 862
name Missing Authorization
description The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Exploits
Severity_range_score8.6 - 8.6
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-pnwu-wecn-yqhs