Andrei Fajardo

2 exploits Active since Mar 2025

CVE-2024-12909 WRITEUP CRITICAL WRITEUP

Llamaindex < 0.3.0 - SQL Injection

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.

CVSS 9.8

View Code

CVE-2024-12911 WRITEUP HIGH WRITEUP

Llamaindex < 0.5.1 - SQL Injection

A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.

CVSS 7.1

View Code