CVE-2026-7023
MEDIUMByteDance coze-studio databaseTool database_impl.go ExecuteSQL sql injection
Title source: cnaDescription
A vulnerability was detected in ByteDance coze-studio up to 0.5.1. Affected by this vulnerability is the function ExecuteSQL of the file backend/domain/memory/database/service/database_impl.go of the component databaseTool. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Scores
CVSS v3
6.3
EPSS
0.0003
EPSS Percentile
7.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-89
Status
published
Products (2)
ByteDance/coze-studio
0.5.0
ByteDance/coze-studio
0.5.1
Published
Apr 26, 2026
Tracked Since
Apr 26, 2026