CVE-2026-5417 | Dataease SQLbot up to 1.6.0 Elasticsearch es_engine.py get_es_data_by_http address server-side request forgery

Inserito da Angelo Barbosa | Apr 2, 2026 | CVE

A vulnerability identified as critical has been detected in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery.

This vulnerability appears as CVE-2026-5417. The attack may be initiated remotely. In addition, an exploit is available.

You should upgrade the affected component.

The vendor was contacted early about this disclosure.

CVE-2026-5417 | Dataease SQLbot up to 1.6.0 Elasticsearch es_engine.py get_es_data_by_http address server-side request forgery

Post correlati

CVE-2024-0989 | Sichuan Yougou Technology KuERP up to 1.0.4 Service.php del_sn_db file path traversal

CVE-2024-56972 | Midea Home 9.3.12 on iOS Link information disclosure

CVE-2025-8776 | Epic Bootstrap Buttons Plugin up to 1.0 on WordPress icol cross site scripting

CVE-2025-11629 | RainyGao DocSys up to 2.02.36 /Manage/getUserList.do getUserList sql injection