CVE-2026-32628
🟠 Łataj w tym tygodniu
Wstrzyknięcie SQL w AnythingLLM umożliwia zdalne wykonanie dowolnych poleceń SQL na połączonych bazach danych.
CVSS
8.8
EPSS
0.0%
Exploit
poc
Vendor
mintplexlabs
Opis źródłowy (NVD)
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
exploit sql-injection
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-16 14:19:40 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-16 20:33:27 UTC |
Referencje
- https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e (security-advisories@github.com) [Patch]
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7 (security-advisories@github.com) [Exploit, Vendor Advisory, Mitigation]