PT-2026-60103 · Anyquery · Anyquery

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-54629

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Anyquery (affected versions not specified)
Description When operated in server mode, the software lacks input sanitization and access control for its built-in SQLite virtual table modules, such as csv reader and log reader. Unauthenticated attackers can connect to the MySQL-compatible server port and create virtual tables that point to local files on the system. This occurs because the server handler does not restrict these modules to safe directories, allowing the process to read any file it has access to, including sensitive system configurations and credentials.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Implement a sandboxing mechanism in server mode to limit read * operations to designated directories.

Files Accessible to External Parties

Missing Authorization

Path traversal

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-54629
GHSA-MF78-3RPF-R784

Affected Products

Anyquery