Bounties
Partners
Community
Info
eosphoros-ai / db-gpt
Project repository
AI Native Data App Development framework with AWEL(Agentic Workflow Expression Language) and Agents
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
19 DAYS
FIX
WITHIN
N/A DAYS
Prompt injection in eosphoros-ai/db-gpt leading to arbitrary code execution
Mar 5th 2025
glmgbj233
•
self closed
Regular expression Denial of Service - ReDoS
Apr 25th 2025
tatianahub
•
pending
Arbitrary File Upload with Path Traversal via POST /api/v1/personal/agent/upload
Jan 2nd 2025
xcx1r3
•
duplicate
Critical
Arbitrary file write
Feb 17th 2025
hoanpham1
•
duplicate
Critical
Arbitrary file write
Feb 11th 2025
hoanpham1
•
duplicate
Critical
Arbitrary file deletion on Windows via the '/v1/agent/hub/update' endpoint.
Feb 7th 2025
williwollo
•
High
•
$300
High
•
$300
•
CVE-2025-0452
CVE-2025-0452
Abitrary file write via '/v1/resource/file/upload' endpoint
Feb 5th 2025
williwollo
•
duplicate
Critical
Abitrary file write via 'knowledge/{space_name}/document/upload' endpoint
Feb 5th 2025
williwollo
•
duplicate
Critical
Arbitrary File Write through API `v1/personal/agent/upload` leads to RCE
Feb 4th 2025
jackfromeast
•
duplicate
Critical
Writing arbitrary files leads to RCE in the Knowledge creation function
Feb 3rd 2025
ngductung
•
duplicate
Critical
Path Traversal During Document Upload Can Lead to RCE
Jan 22nd 2025
r0path
•
duplicate
High
Denial of service
Jan 10th 2025
oicu0619
•
duplicate
High
SSRF in `/api/v1/chat/db/test/connect`
Nov 5th 2024
bidaya0
•
informative
High
Insecure file upload mechanism on /api/v1/resource/file/upload
Jan 4th 2025
bidaya0
•
duplicate
Critical
A CSRF vulnerability has been identified in the `/prompt/update` and `/construct...
Jan 4th 2025
bidaya0
•
duplicate
Medium
CSRF due to the default use of CORS-middleware in dbgpt_server
Jan 4th 2025
patrik-ha
•
High
•
$300
High
•
$300
•
CVE-2024-10906
CVE-2024-10906
Insecure file upload mechanism on /knowledge/{space_name}/document/upload
Jan 4th 2025
bidaya0
•
duplicate
Critical
Prompt injection which leads to arbitrary code execution in dbgpt.core.interface...
Dec 18th 2024
bidaya0
•
informative
High
Arbitrary File Upload with Path Traversal via POST /knowledge/{space_name}/docum...
Jan 3rd 2025
zpbrent
•
duplicate
Critical
Arbitrary File Upload with Path Traversal via POST /api/v2/serve/knowledge/docum...
Jan 3rd 2025
zpbrent
•
duplicate
Critical
Arbitrary file write through plugin upload
Jan 2nd 2025
patrik-ha
•
duplicate
Critical
Arbitrary File Upload with Path Traversal via POST /v1/personal/agent/upload
Jan 2nd 2025
zpbrent
•
Critical
•
$600
Critical
•
$600
•
CVE-2024-10902
CVE-2024-10902
Arbitrary File Write via DuckDB SQL Injection in POST /api/v1/editor/chart/run
Jan 2nd 2025
zpbrent
•
Critical
•
$600
Critical
•
$600
•
CVE-2024-10901
CVE-2024-10901
Arbitrary File Write via DuckDB SQL Injection in POST /api/v1/editor/sql/run
Jan 2nd 2025
zpbrent
•
Critical
•
$600
Critical
•
$600
•
CVE-2024-10835
CVE-2024-10835
Arbitrary file write through RAG-knowledge endpoint
Nov 4th 2024
patrik-ha
•
Critical
•
$600
Critical
•
$600
•
CVE-2024-10834
CVE-2024-10834
Arbitrary File Upload with Path Traversal via POST /api/v1/resource/file/upload
Jan 1st 2025
zpbrent
•
duplicate
Critical
Arbitrary File Delete via POST /api/v1/resource/file/delete
Jan 1st 2025
zpbrent
•
duplicate
Critical
Arbitrary file write through knowledge API
Jan 1st 2025
patrik-ha
•
Critical
•
$600
Critical
•
$600
•
CVE-2024-10833
CVE-2024-10833
Arbitrary file write through absolute path traversal
Dec 31st 2024
patrik-ha
•
Critical
•
$600
Critical
•
$600
•
CVE-2024-10831
CVE-2024-10831
Remote file deletion through web-API
Dec 31st 2024
patrik-ha
•
duplicate
Critical
Path Traversal
Nov 4th 2024
past3l
•
spam
CORS misconfiguration leads to data leak
Dec 30th 2024
srivallikusumba
•
pending
Unauthenticated DoS via multipart boundry
Dec 30th 2024
mnqazi
•
High
•
$300
High
•
$300
•
CVE-2024-10829
CVE-2024-10829
Path Traversal in api `/v1/resource/file/delete`
Nov 5th 2024
tungpentest
•
High
•
$300
High
•
$300
•
CVE-2024-10830
CVE-2024-10830
Path Traversal at API `/v1/resource/file/read`
Nov 5th 2024
ngductung
•
informative
Medium
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
