| 标题 | Mindinventory MindSQL v0.2.1 SQL Injection |
|---|
| 描述 | A **prompt injection** vulnerability exists in the application flow where untrusted user input is forwarded to an LLM to generate SQL and (optionally) Python visualization code. If the system **executes or evaluates** LLM-generated Python (e.g., for Plotly chart generation), an attacker can craft a prompt that coerces the model into producing **malicious Python statements**, potentially leading to **Remote Code Execution (RCE)** on the host.
|
|---|
| 来源 | ⚠️ https://github.com/Ka7arotto/cve/blob/main/MindSQL-RCE.md |
|---|
| 用户 | Goku (UID 80486) |
|---|
| 提交 | 2026-03-06 12時35分 (3 月前) |
|---|
| 管理 | 2026-03-20 15時08分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 352072 [Mindinventory MindSQL 直到 0.2.1 mindsql_core.py ask_db 权限提升] |
|---|
| 积分 | 20 |
|---|