RCE in Dataease Sqlbot

CVE-2026-32950

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution (R…

Vulnerability class: SQL Injection

EPSS: 0.002 (47.5th percentile) — read the EPSS interpretation.

Affected products

Dataease Sqlbot — versions < 1.7.0

Weakness classification (CWE)

References

https://github.com/dataease/SQLBot/security/advisories/GHSA-7hww-8rj5-7rmm (x_refsource_CONFIRM)
https://github.com/dataease/SQLBot/commit/39f2203cec4bb4b0aa541710733fe7608e3d3c48 (x_refsource_MISC)
https://github.com/dataease/SQLBot/releases/tag/v1.7.0 (x_refsource_MISC)