Mindsdb
Monthly
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
MindsDB versions up to 25.14.1 contain a server-side request forgery vulnerability in the file upload functionality that allows authenticated remote attackers to forge requests to internal or external systems. Public exploit code exists for this vulnerability, and affected organizations should apply patch 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed or upgrade to a patched version immediately.
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. [CVSS 8.1 HIGH]
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
MindsDB versions up to 25.14.1 contain a server-side request forgery vulnerability in the file upload functionality that allows authenticated remote attackers to forge requests to internal or external systems. Public exploit code exists for this vulnerability, and affected organizations should apply patch 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed or upgrade to a patched version immediately.
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. [CVSS 8.1 HIGH]