CVE-2025-69285

Name of the Vulnerable Software and Affected Versions SQLBot versions prior to 1.5.0

Description SQLBot is an intelligent data query system based on a large language model and RAG. A missing authentication check in the /api/v1/datasource/uploadExcel endpoint allows unauthenticated remote attackers to upload arbitrary Excel or CSV files and inject data directly into the PostgreSQL database. The endpoint bypasses token validation due to being explicitly whitelisted. Uploaded files are parsed using pandas and inserted into the database via the to sql() function with the if exists='replace' option.

Recommendations Update to version 1.5.0 or later.