Qanything

qanything

Vendor: Qanything • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8026 1Qanything 1Qanything Mar 26, 2025 Mar 20, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This...Show more A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and managing knowledge bases.Show less
CVE-2024-7099 1Qanything 1Qanything Jul 30, 2025 Oct 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include `get_knowledge_base_name...Show more netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include `get_knowledge_base_name`, `from_status_to_status`, `delete_files`, and `get_file_by_status`. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially stealing information from the database. The issue is fixed in version 1.4.2.Show less
CVE-2024-25722 1Qanything 1Qanything Jun 11, 2025 Feb 11, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 qanything_kernel/connector/database/mysql/mysql_client.py in qanything.ai QAnything before 1.2.0 allows SQL Injection.