An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.

Affected Packages

PyPI mindsdb

Affected versions: 23.10.5.0 (fixed in 24.7.4.1)

Related CVEs

CVE-2024-45851

Key Information

GHSA ID

GHSA-wf9g-c67g-h4ch

Published

September 12, 2024 3:33 PM

Last Modified

September 16, 2024 10:33 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

mindsdb

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.