CVE-2026-4530 - Vulnerability Details

- apconw Aix-DB terminology_retriever.py sql injection

Description

A security flaw has been discovered in apconw Aix-DB up to 1.2.3. This impacts an unknown function of the file agent/text2sql/rag/terminology_retriever.py. Performing a manipulation of the argument Description results in sql injection. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-21

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a local SQL injection vulnerability arising from the manipulation of the Description parameter in the terminology_retriever.py component of apconw Aix-DB. By injecting malicious SQL statements, an attacker who can execute code on the affected system may read, modify, or delete data stored in the database. The weakness is a classic example of CWE‑74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE‑89 (SQL Injection).

Affected Systems

apconw Aix-DB versions up to and including 1.2.3 are susceptible. The vulnerability originates in the agent/text2sql/rag/terminology_retriever.py module. No specific revision or patch level is provided beyond the 1.2.3 ceiling.

Risk and Exploitability

The CVSS v3.1 base score of 4.8 reflects a moderate severity. The exploit requires local access, meaning an attacker must already have the ability to run code or log into the system. An attacker can use the publicly disclosed exploit to trigger the injection and compromise data. EPSS information is missing and the issue is not listed in the CISA KEV catalog, suggesting that while publicized, it has not yet attracted widespread exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

apconw

Aix-DB

affected

Version	Status	Constraints
`1.2.0`	affected	—
`1.2.1`	affected	—
`1.2.2`	affected	—
`1.2.3`	affected	—

No data.

Vendor Product Confidence Versions

Apconw

Aix-db

100%

Version	Status	Scheme	Platform
`1.2.0`	affected	semver	—
`1.2.1`	affected	semver	—
`1.2.2`	affected	semver	—
`1.2.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest available patch for apconw Aix-DB or upgrade to a version later than 1.2.3.
If no patch is available, restrict local access to the database and review user permissions to limit the impact of a potential injection.
Monitor database logs for unusual query patterns and block or sanitize input to the Description parameter until a fix is deployed.

Generated by OpenCVE AI on March 22, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Ka7arotto/cve/blob/main/Aix-DB-nl2sql.md
https://vuldb.com/?ctiid.352318
https://vuldb.com/?id.352318
https://vuldb.com/?submit.774072

History

Tue, 24 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apconw Apconw aix-db
Vendors & Products		Apconw Apconw aix-db

Sat, 21 Mar 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in apconw Aix-DB up to 1.2.3. This impacts an unknown function of the file agent/text2sql/rag/terminology_retriever.py. Performing a manipulation of the argument Description results in sql injection. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		apconw Aix-DB terminology_retriever.py sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/Ka7arotto/cve/blob/main/Aix-DB-nl2sql.md https://vuldb.com/?ctiid.352318 https://vuldb.com/?id.352318 https://vuldb.com/?submit.774072
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Apconw Aix-db

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-21T23:32:10.938Z

Updated: 2026-03-24T14:26:23.607Z

Reserved: 2026-03-21T07:44:02.771Z

Link: CVE-2026-4530

Vulnrichment

Updated: 2026-03-24T14:26:12.309Z

NVD

Status : Deferred

Published: 2026-03-22T00:16:06.187

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4530

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:46:56Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object