Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by CodePhiliaX
CVE-2026-4586 (GCVE-0-2026-4586)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:08 – Updated: 2026-03-23 16:00
VLAI
Title
CodePhiliaX Chat2DB JDBC Driver Upload JdbcDriverController.java upload unrestricted upload
Summary
A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/driver/JdbcDriverController.java of the component JDBC Driver Upload. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.352432 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.352432 | signaturepermissions-required |
| https://vuldb.com/?submit.775596 | third-party-advisory |
| https://fx4tqqfvdw4.feishu.cn/docx/PgtzdpfoWoTR0y… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePhiliaX | Chat2DB |
Affected:
0.3.0
Affected: 0.3.1 Affected: 0.3.2 Affected: 0.3.3 Affected: 0.3.4 Affected: 0.3.5 Affected: 0.3.6 Affected: 0.3.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T16:00:30.624557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T16:00:39.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"JDBC Driver Upload"
],
"product": "Chat2DB",
"vendor": "CodePhiliaX",
"versions": [
{
"status": "affected",
"version": "0.3.0"
},
{
"status": "affected",
"version": "0.3.1"
},
{
"status": "affected",
"version": "0.3.2"
},
{
"status": "affected",
"version": "0.3.3"
},
{
"status": "affected",
"version": "0.3.4"
},
{
"status": "affected",
"version": "0.3.5"
},
{
"status": "affected",
"version": "0.3.6"
},
{
"status": "affected",
"version": "0.3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xcxr (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/driver/JdbcDriverController.java of the component JDBC Driver Upload. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T12:08:23.956Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352432 | CodePhiliaX Chat2DB JDBC Driver Upload JdbcDriverController.java upload unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.352432"
},
{
"name": "VDB-352432 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352432"
},
{
"name": "Submit #775596 | CodePhiliaX Chat2DB Chat2DB \u003c= 0.3.7 Unrestricted Upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.775596"
},
{
"tags": [
"exploit"
],
"url": "https://fx4tqqfvdw4.feishu.cn/docx/PgtzdpfoWoTR0yxB7P6cujGanih?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-22T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-22T13:07:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "CodePhiliaX Chat2DB JDBC Driver Upload JdbcDriverController.java upload unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4586",
"datePublished": "2026-03-23T12:08:23.956Z",
"dateReserved": "2026-03-22T09:37:11.395Z",
"dateUpdated": "2026-03-23T16:00:39.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4173 (GCVE-0-2026-4173)
Vulnerability from cvelistv5 – Published: 2026-03-15 09:02 – Updated: 2026-03-17 13:20
VLAI
Title
CodePhiliaX Chat2DB Database Export DMDBManage.java updateProcedure sql injection
Summary
A flaw has been found in CodePhiliaX Chat2DB up to 0.3.7. This vulnerability affects the function exportTable/exportTableColumnComment/exportView/exportProcedure/exportTriggers/exportTrigger/updateProcedure of the file DMDBManage.java of the component Database Export Handler. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351080 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351080 | signaturepermissions-required |
| https://vuldb.com/?submit.769775 | third-party-advisory |
| https://github.com/AnalogyC0de/public_exp/issues/21 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePhiliaX | Chat2DB |
Affected:
0.3.0
Affected: 0.3.1 Affected: 0.3.2 Affected: 0.3.3 Affected: 0.3.4 Affected: 0.3.5 Affected: 0.3.6 Affected: 0.3.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4173",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:20:39.491908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:20:49.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Database Export Handler"
],
"product": "Chat2DB",
"vendor": "CodePhiliaX",
"versions": [
{
"status": "affected",
"version": "0.3.0"
},
{
"status": "affected",
"version": "0.3.1"
},
{
"status": "affected",
"version": "0.3.2"
},
{
"status": "affected",
"version": "0.3.3"
},
{
"status": "affected",
"version": "0.3.4"
},
{
"status": "affected",
"version": "0.3.5"
},
{
"status": "affected",
"version": "0.3.6"
},
{
"status": "affected",
"version": "0.3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ana10gy (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in CodePhiliaX Chat2DB up to 0.3.7. This vulnerability affects the function exportTable/exportTableColumnComment/exportView/exportProcedure/exportTriggers/exportTrigger/updateProcedure of the file DMDBManage.java of the component Database Export Handler. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-15T09:02:08.163Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351080 | CodePhiliaX Chat2DB Database Export DMDBManage.java updateProcedure sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351080"
},
{
"name": "VDB-351080 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351080"
},
{
"name": "Submit #769775 | CodePhiliaX Chat2DB \u003c=0.3.7 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.769775"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/AnalogyC0de/public_exp/issues/21"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-14T16:08:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "CodePhiliaX Chat2DB Database Export DMDBManage.java updateProcedure sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4173",
"datePublished": "2026-03-15T09:02:08.163Z",
"dateReserved": "2026-03-14T15:03:38.828Z",
"dateUpdated": "2026-03-17T13:20:49.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9148 (GCVE-0-2025-9148)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-08-19 20:01
VLAI
Title
CodePhiliaX Chat2DB JDBC Connection DataSourceController.java sql injection
Summary
A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.320527 | vdb-entry |
| https://vuldb.com/?ctiid.320527 | signaturepermissions-required |
| https://vuldb.com/?submit.628912 | third-party-advisory |
| https://hip-motorcycle-97a.notion.site/Chat2DB-H2… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePhiliaX | Chat2DB |
Affected:
0.3.0
Affected: 0.3.1 Affected: 0.3.2 Affected: 0.3.3 Affected: 0.3.4 Affected: 0.3.5 Affected: 0.3.6 Affected: 0.3.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-19T20:01:13.930750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T20:01:27.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"JDBC Connection Handler"
],
"product": "Chat2DB",
"vendor": "CodePhiliaX",
"versions": [
{
"status": "affected",
"version": "0.3.0"
},
{
"status": "affected",
"version": "0.3.1"
},
{
"status": "affected",
"version": "0.3.2"
},
{
"status": "affected",
"version": "0.3.3"
},
{
"status": "affected",
"version": "0.3.4"
},
{
"status": "affected",
"version": "0.3.5"
},
{
"status": "affected",
"version": "0.3.6"
},
{
"status": "affected",
"version": "0.3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "jmx0hxq (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In CodePhiliaX Chat2DB bis 0.3.7 ist eine Schwachstelle entdeckt worden. Das betrifft eine unbekannte Funktionalit\u00e4t der Datei ai/chat2db/server/web/api/controller/data/source/DataSourceController.java der Komponente JDBC Connection Handler. Die Manipulation f\u00fchrt zu sql injection. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T17:02:06.237Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320527 | CodePhiliaX Chat2DB JDBC Connection DataSourceController.java sql injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.320527"
},
{
"name": "VDB-320527 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320527"
},
{
"name": "Submit #628912 | CodePhiliaX Chat2DB 0.3.7 JDBC Connection Remote Code Execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.628912"
},
{
"tags": [
"exploit"
],
"url": "https://hip-motorcycle-97a.notion.site/Chat2DB-H2-JDBC-Connection-Remote-Code-Execution-2465f5e4caac80999d51dc98e8fc935f"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-19T09:47:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "CodePhiliaX Chat2DB JDBC Connection DataSourceController.java sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9148",
"datePublished": "2025-08-19T17:02:06.237Z",
"dateReserved": "2025-08-19T07:42:37.251Z",
"dateUpdated": "2025-08-19T20:01:27.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}