Eric-X

**Name of the Vulnerable Software and Affected Versions** OpenBMB XAgent version 1.0.0 **Description** A flaw exists in OpenBMB XAgent that allows for path traversal. The issue is located within the `workspace` function of the `XAgentServer/application/routers/workspace.py` file. Manipulation of the `file name` argument can lead to unauthorized access. This issue can be exploited remotely, and a public exploit is available. The project was notified of the issue but has not yet responded. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eosphoros-ai db-gpt version 0.7.5 **Description** A security flaw exists in eosphoros-ai db-gpt version 0.7.5 related to code injection. The issue is located in the function `importlib.machinery.SourceFileLoader.exec module` within the file `/api/v1/serve/awel/flow/import` of the Flow Import Endpoint component. Manipulation of a file as part of the process can lead to code injection. The attack can be initiated remotely. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.