Which versions of Db Gpt are affected by CVE-2026-4504?

A critical SQL injection vulnerability in DB-GPT version 0.7.5 allows unauthenticated attackers to execute arbitrary database commands.

Is there a public PoC exploit available for CVE-2026-4504?

Yes, a public proof-of-concept exploit is available for CVE-2026-4504. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-4504?

Within 24 hours: Identify all systems running DB-GPT up to version 0.7.5 and immediately isolate them from production networks or restrict access to the /api/v1/editor/ endpoint via firewall rules. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the vulnerable endpoint, and monitor for suspicious database activity. Within 30 days: Evaluate alternative solutions or await vendor patch; if DB-GPT remains necessary, maintain strict network segmentation and implement comprehensive database activity monitoring and access controls.

Db Gpt CVE-2026-4504

Q: What is the CVSS score of CVE-2026-4504?

CVE-2026-4504 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-13804 MEDIUM

SQL Injection (CWE-89)

2026-03-20 VulDB

SQLi Db Gpt

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

Severity Changed

Apr 22, 2026 - 21:37 NVD

HIGH MEDIUM

CVSS changed

Apr 22, 2026 - 21:37 NVD

7.3 (HIGH) 6.9 (MEDIUM)

PoC Detected

Mar 23, 2026 - 14:32 vuln.today

Public exploit code

EUVD ID Assigned

Mar 20, 2026 - 20:15 euvd

EUVD-2026-13804

Analysis Generated

Mar 20, 2026 - 20:15 vuln.today

CVE Published

Mar 20, 2026 - 20:02 nvd

HIGH 7.3

DescriptionCVE.org

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted request to /api/v1/editor/ endpoint

Delivery

Inject SQL payload in unvalidated parameter

Exploit

Bypass incomplete fix validation

Execution

Execute arbitrary SQL queries

Impact

Access or modify database contents