{"data":{"id":"193a4da4-c249-45d2-9fbc-d350f4462cd8","title":"CVE-2026-32950: SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a cr","summary":"SQLBot, an intelligent data query system that uses a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions), has a critical SQL injection vulnerability (a bug where an attacker tricks the system into running unintended database commands) in versions before 1.7.0 that allows authenticated users to execute arbitrary code on the backend server. The vulnerability exists because Excel sheet names are directly inserted into database commands without proper sanitization (cleaning/validation), and attackers can exploit this by uploading specially crafted files to gain complete control of the system.","solution":"Update to version 1.7.0 or later, where this issue has been fixed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-32950","publishedAt":"2026-03-20T05:16:14.553Z","cveId":"CVE-2026-32950","cweIds":["CWE-78","CWE-89"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["SQLBot"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-20T05:16:14.553Z","capecIds":["CAPEC-66","CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"rag","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}