CVE-2025-1750CRITICAL 9.8EPSS p48.5%

CVE-2025-1750CVE-2025-1750

Description

An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).

Scoring

CVSS 3.09.8 (CRITICAL)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.70% probability of exploitation · percentile 48.5% · 2026-06-19T12:03:05Z
Published2025-06-02
Last modified2025-07-31

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/run-llama/llama_index/commit/369a2942df2efcf6b74461c45d20a0af1fbe4ae2
  2. https://huntr.com/bounties/e1302233-9180-4269-9047-1526247d2cd8

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-1793
CVE
CVE-2025-5302
CVE
CVE-2025-66944
CVE
CVE-2025-45146
CVE
CVE-2025-45150
CVE
CVE-2026-41705
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.