GHSA-pjwm-cr36-mwv3: ReDoS in giskard's transformation.py (GHSL-2024-324)

GHSA-j3vq-pmp5-r5xj: Missing ratelimit on passwrod resets in zenml

GHSA-j3px-q95c-9683: zlib-rs stack overflow during decompression with malicious input

GHSA-p2h2-3vg9-4p87: Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer

GHSA-hff8-hjwv-j9q7: Remote Code Execution on click of <a> Link in markdown preview

LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

**SQL injection in llama-index**

High severity GitHub Reviewed Published Jan 22, 2024 to the GitHub Advisory Database • Updated Jan 23, 2024

Headline

GHSA-2jxw-4hm4-6w87: SQL injection in llama-index

ghsa: Latest News