Description
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Assess Impact
AI Analysis

Impact

A code injection vulnerability exists in the ask_db function of MindSQL version 0.2.1 or earlier. If an attacker supplies a crafted input to this function, the application can execute arbitrary code, compromising the confidentiality, integrity, and availability of the system. The weakness is a direct injection that allows remote actors to run malicious code through the database query interface. No specific authentication requirements are mentioned, implying that the attack can be launched from an unauthenticated or remote user session. The risk is moderate, reflected by a CVSS score of 5.3. The EPSS score is not available, and the vulnerability is not included in the CISA KEV catalog. However, the exploit is publicly disclosed and the vendor has not released a fix, increasing the likelihood of real-world exploitation.

Affected Systems

Mindinventory MindSQL versions up to 0.2.1 are affected. Users running any release prior to or including 0.2.1 should verify their installation and check for updates.

Risk and Exploitability

This vulnerability carries a moderate severity rating with a CVSS score of 5.3. The lack of an EPSS score means the exact exploitation probability is unknown, but the public availability of the exploit code and the vendor's non‑responsive stance suggest that the potential for use is significant. Attackers can exploit the vulnerability remotely through the ask_db functionality without prior authentication, posing a serious threat if the system is exposed to untrusted inputs.

Generated by OpenCVE AI on March 20, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed MindSQL version and confirm whether it is 0.2.1 or earlier.
  • Check Mindinventory’s website or vendor resources for an updated release that addresses the injection flaw.
  • If a patched version is not immediately available, restrict network access to the MindSQL service or limit the exposure of the ask_db endpoint to trusted users only.
  • Implement input validation or filtering for data reaching ask_db while a patch is pending.
  • Continuously monitor vendor advisories and security mailing lists for patch releases or additional mitigations.

Generated by OpenCVE AI on March 20, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m6m4-34cj-4hh7 MindSQL is vulnerable to Code Injection through its ask_db function
History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mindinventory
Mindinventory mindsql
Vendors & Products Mindinventory
Mindinventory mindsql

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Mindinventory MindSQL mindsql_core.py ask_db code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mindinventory Mindsql
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:40:22.537Z

Reserved: 2026-03-20T14:08:32.558Z

Link: CVE-2026-4506

cve-icon Vulnrichment

Updated: 2026-03-23T16:21:45.420Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T22:16:29.960

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:25Z

Weaknesses