PT-2026-60103 · Anyquery · Anyquery
Published
2026-07-14
·
Updated
2026-07-15
·
CVE-2026-54629
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Anyquery (affected versions not specified)
Description
When operated in server mode, the software lacks input sanitization and access control for its built-in SQLite virtual table modules, such as
csv reader and log reader. Unauthenticated attackers can connect to the MySQL-compatible server port and create virtual tables that point to local files on the system. This occurs because the server handler does not restrict these modules to safe directories, allowing the process to read any file it has access to, including sensitive system configurations and credentials.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Implement a sandboxing mechanism in server mode to limit
read * operations to designated directories.Files Accessible to External Parties
Missing Authorization
Path traversal
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Anyquery