Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution (RCE), allowing any authenticated user (even the lowest-privileged) to fully compromise the backend server. The root cause is twofold: Excel Sheet names are concatenated directly into PostgreSQL table names without sanitization (datasource.py#L351), and those table names are embedded into COPY SQL statements via f-strings instead of parameterized queries (datasource.py#L385-L388). An attacker can bypass the 31-character Sheet name limit using a two-stage technique-first uploading a normal file whose data rows contain shell commands, then uploading an XML-tampered file whose Sheet name injects a TO PROGRAM 'sh' clause into the SQL. Confirmed impacts include arbitrary command execution as the postgres user (uid=999), sensitive file exfiltration (e.g., /etc/passwd, /etc/shadow), and complete PostgreSQL database takeover. This issue has been fixed in version 1.7.0.
AnalysisAI
SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.
Technical ContextAI
This vulnerability affects SQLBot, a Python-based data query system that integrates large language models with Retrieval-Augmented Generation (RAG) for natural language database queries. The root cause maps to CWE-78 (OS Command Injection), stemming from two critical flaws in datasource.py: Excel sheet names are directly concatenated into PostgreSQL table names without sanitization at line 351, and these unsanitized table names are embedded into COPY SQL statements using Python f-strings rather than parameterized queries at lines 385-388. Attackers exploit PostgreSQL's COPY TO PROGRAM feature, which allows SQL statements to invoke shell commands, by uploading specially crafted Excel files with XML-tampered sheet names that inject a TO PROGRAM 'sh' clause. The two-stage attack bypasses the 31-character sheet name limit by first uploading normal data containing shell commands, then uploading a file whose sheet name completes the SQL injection payload.
RemediationAI
Upgrade SQLBot to version 1.7.0 or later immediately, as documented in the release notes at https://github.com/dataease/SQLBot/releases/tag/v1.7.0. The fix implemented in commit 39f2203cec4bb4b0aa541710733fe7608e3d3c48 addresses the unsafe string concatenation by implementing proper input sanitization for Excel sheet names and replacing f-string SQL construction with parameterized queries. Until patching is completed, implement compensating controls including restricting access to the /api/v1/datasource/uploadExcel endpoint to only highly trusted administrators, implementing strict input validation on file uploads at the web application firewall or reverse proxy layer, and monitoring PostgreSQL logs for suspicious COPY TO PROGRAM statements. Organizations should audit existing uploaded Excel files for potential malicious sheet names and review postgres user command execution logs for signs of prior exploitation.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13543