What is the CVSS score of CVE-2025-68472?

CVE-2025-68472 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of AI / ML are affected by CVE-2025-68472?

Organizations using MindsDB face notable risk from CVE-2025-68472, a path traversal vulnerability rated CVSS 8.1.. A patch is available.

Is there a public PoC exploit available for CVE-2025-68472?

Yes, a public proof-of-concept exploit is available for CVE-2025-68472. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-68472?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Review file handling controls and restrict upload directories.

AI / ML CVE-2025-68472

HIGH

Path Traversal (CWE-22)

2026-01-12 security-advisories@github.com

GHSA-qqhf-pm3j-96g7

Path Traversal AI / ML Mindsdb

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 20, 2026 - 17:25 vuln.today

Public exploit code

CVE Published

Jan 12, 2026 - 17:15 nvd

HIGH 8.1

DescriptionGitHub Advisory

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.

AnalysisAI

Technical ContextAI

Classified as CWE-22 (Path Traversal). Affects Mindsdb. MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitiza

RemediationAI

Fixed in version 25.11.1.. Validate and sanitize file path inputs. Use allowlists.

CVE-2025-68472 vulnerability details – vuln.today

Back

AI / ML CVE-2025-68472

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code