Suggestions search

Untriaged

Filter by:

With package: python314Packages.mindsdb-evaluator

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-27483

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

MindsDB has Path Traversal in /api/files Leading to Remote Code Execution

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. Since the multipart file upload does not perform security checks on the uploaded file path, an attacker can perform path traversal by using `../` sequences in the filename field. The file write operation occurs before calling clear_filename and save_file, meaning there is no filtering of filenames or file types, allowing arbitrary content to be written to any path on the server. Version 25.9.1.1 patches the issue.

References

https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq x_refsource_CONFIRM
https://github.com/mindsdb/mindsdb/commit/87a44bdb2b97f963e18f10a068e1a1e2690505ef x_refsource_MISC
https://github.com/mindsdb/mindsdb/releases/tag/v25.9.1.1 x_refsource_MISC

Affected products

mindsdb

==< 25.9.1.1

Matching in nixpkgs

pkgs.python312Packages.mindsdb-evaluator

Model evaluation for Machine Learning pipelines

nixos-25.11 0.0.20
- nixos-25.11-small 0.0.20
- nixpkgs-25.11-darwin 0.0.20

pkgs.python313Packages.mindsdb-evaluator

Model evaluation for Machine Learning pipelines

nixos-unstable 0.0.21
- nixpkgs-unstable 0.0.21
- nixos-unstable-small 0.0.21
nixos-25.11 0.0.20
- nixos-25.11-small 0.0.20
- nixpkgs-25.11-darwin 0.0.20

pkgs.python314Packages.mindsdb-evaluator

Model evaluation for Machine Learning pipelines

nixos-unstable 0.0.21
- nixpkgs-unstable 0.0.21
- nixos-unstable-small 0.0.21

Package maintainers

@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>

Permalink CVE-2026-2531

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months ago Activity log

Created suggestion 2 months ago

MindsDB File Upload security.py clear_filename server-side request forgery

A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.