CVE-2026-5417

Exploit

EPSS 0.05%
Veröffentlicht 02.04.2026 18:15:11
Zuletzt bearbeitet 29.04.2026 01:00:01
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

Dataease SQLbot Elasticsearch es_engine.py get_es_data_by_http server-side request forgery

A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.7.0 is capable of addressing this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerDataease

≫

Produkt SQLbot

Version 1.0

Status affected

Version 1.1

Status affected

Version 1.2

Status affected

Version 1.3

Status affected

Version 1.4

Status affected

Version 1.5

Status affected

Version 1.6.0

Status affected

Version 1.7.0

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.155

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	4.7	1.2	3.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	2	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	5.8	6.4	6.4	AV:N/AC:L/Au:M/C:P/I:P/A:P

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/dataease/SQLBot/releases/tag/v1.7.0

https://vuldb.com/vuln/354854

https://vuldb.com/vuln/354854/cti

https://vuldb.com/submit/756043

https://www.notion.so/SQLbot-SSRF-in-Elasticsearch-Unvalidated-Requests-2afea92a3c4180bea524f1a253f8d9a0

https://nvd.nist.gov/vuln/detail/CVE-2026-5417

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5417

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5417

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-5417