{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4506", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-20T14:08:32.558Z", "datePublished": "2026-03-20T22:02:10.070Z", "dateUpdated": "2026-03-23T16:40:22.537Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-20T22:02:10.070Z"}, "title": "Mindinventory MindSQL mindsql_core.py ask_db code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Mindinventory", "product": "MindSQL", "versions": [{"version": "0.2.0", "status": "affected"}, {"version": "0.2.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-20T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-20T15:13:41.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Goku (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352072", "name": "VDB-352072 | Mindinventory MindSQL mindsql_core.py ask_db code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352072", "name": "VDB-352072 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773898", "name": "Submit #773898 | Mindinventory MindSQL v0.2.1 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Ka7arotto/cve/blob/main/MindSQL-RCE.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:21:44.328687Z", "id": "CVE-2026-4506", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:40:22.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4506", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:21:44.328687Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:21:45.420Z"}}], "cna": {"title": "Mindinventory MindSQL mindsql_core.py ask_db code injection", "credits": [{"lang": "en", "type": "reporter", "value": "Goku (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Mindinventory", "product": "MindSQL", "versions": [{"status": "affected", "version": "0.2.0"}, {"status": "affected", "version": "0.2.1"}]}], "timeline": [{"lang": "en", "time": "2026-03-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-20T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-20T15:13:41.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352072", "name": "VDB-352072 | Mindinventory MindSQL mindsql_core.py ask_db code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352072", "name": "VDB-352072 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773898", "name": "Submit #773898 | Mindinventory MindSQL v0.2.1 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Ka7arotto/cve/blob/main/MindSQL-RCE.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-20T22:02:10.070Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4506", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:40:22.537Z", "dateReserved": "2026-03-20T14:08:32.558Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-20T22:02:10.070Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Mindinventory MindSQL hasta 0.2.1. Impactada es la funci\u00f3n ask_db del archivo mindsql/core/mindsql_core.py. Realizar una manipulaci\u00f3n resulta en inyecci\u00f3n de c\u00f3digo. El ataque puede ser iniciado remotamente. El exploit ha sido hecho p\u00fablico y podr\u00eda ser usado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4506", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-20T22:16:29.960", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Ka7arotto/cve/blob/main/MindSQL-RCE.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352072"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352072"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.773898"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.2.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MindSQL", "source": "cna", "vendor": "Mindinventory"}, "product": "mindsql", "vendor": "mindinventory"}], "analysis": {"en": {"generated_at": "2026-03-20T23:24:27.919727+00:00", "value": {"mitigation_remediation": ["Verify the installed MindSQL version and confirm whether it is 0.2.1 or earlier.", "Check Mindinventory\u2019s website or vendor resources for an updated release that addresses the injection flaw.", "If a patched version is not immediately available, restrict network access to the MindSQL service or limit the exposure of the ask_db endpoint to trusted users only.", "Implement input validation or filtering for data reaching ask_db while a patch is pending.", "Continuously monitor vendor advisories and security mailing lists for patch releases or additional mitigations."], "summary": {"action": "Assess Impact", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "Mindinventory MindSQL versions up to 0.2.1 are affected. Users running any release prior to or including 0.2.1 should verify their installation and check for updates.", "description_and_impact": "A code injection vulnerability exists in the ask_db function of MindSQL version 0.2.1 or earlier. If an attacker supplies a crafted input to this function, the application can execute arbitrary code, compromising the confidentiality, integrity, and availability of the system.\n\nThe weakness is a direct injection that allows remote actors to run malicious code through the database query interface. No specific authentication requirements are mentioned, implying that the attack can be launched from an unauthenticated or remote user session.\n\nThe risk is moderate, reflected by a CVSS score of 5.3. The EPSS score is not available, and the vulnerability is not included in the CISA KEV catalog. However, the exploit is publicly disclosed and the vendor has not released a fix, increasing the likelihood of real-world exploitation.", "risk_and_exploitability": "This vulnerability carries a moderate severity rating with a CVSS score of 5.3. The lack of an EPSS score means the exact exploitation probability is unknown, but the public availability of the exploit code and the vendor's non\u2011responsive stance suggest that the potential for use is significant. Attackers can exploit the vulnerability remotely through the ask_db functionality without prior authentication, posing a serious threat if the system is exposed to untrusted inputs."}}}}, "created": "2026-03-23T09:52:31.374866+00:00", "updated": "2026-03-25T14:34:25.184262+00:00", "vendors": ["mindinventory", "mindinventory$PRODUCT$mindsql"]}