CVE-2026-28795

OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through natural language conversations. Prior to version 0.2.2, the save_report tool in openchatbi/tool/save_report.py suffers from a critical path traversal vulnerability due to insufficient input sanitization of the file_format parameter. This issue has been patched in version 0.2.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zhongyu09/openchatbi/commit/372a7e861da5159c3106d64d6f6edf8284db8c75	Patch
https://github.com/zhongyu09/openchatbi/issues/10	Issue Tracking
https://github.com/zhongyu09/openchatbi/pull/12	Issue Tracking Patch
https://github.com/zhongyu09/openchatbi/security/advisories/GHSA-vmwq-8g8c-jm79	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zhongyu09:openchatbi:*:*:*:*:*:*:*:*

History

10 Mar 2026, 19:45

Type	Values Removed	Values Added
CPE		cpe:2.3:a:zhongyu09:openchatbi::::::::
First Time		Zhongyu09 openchatbi Zhongyu09
Summary		(es) OpenChatBI es una herramienta de BI inteligente basada en chat, impulsada por grandes modelos de lenguaje, diseñada para ayudar a los usuarios a consultar, analizar y visualizar datos a través de conversaciones en lenguaje natural. Antes de la versión 0.2.2, la herramienta save_report en openchatbi/tool/save_report.py sufre de una crítica vulnerabilidad de salto de ruta debido a una sanitización insuficiente de la entrada del parámetro file_format. Este problema ha sido parcheado en la versión 0.2.2.
References	~~() https://github.com/zhongyu09/openchatbi/commit/372a7e861da5159c3106d64d6f6edf8284db8c75 -~~	() https://github.com/zhongyu09/openchatbi/commit/372a7e861da5159c3106d64d6f6edf8284db8c75 - Patch
References	~~() https://github.com/zhongyu09/openchatbi/issues/10 -~~	() https://github.com/zhongyu09/openchatbi/issues/10 - Issue Tracking
References	~~() https://github.com/zhongyu09/openchatbi/pull/12 -~~	() https://github.com/zhongyu09/openchatbi/pull/12 - Issue Tracking, Patch
References	~~() https://github.com/zhongyu09/openchatbi/security/advisories/GHSA-vmwq-8g8c-jm79 -~~	() https://github.com/zhongyu09/openchatbi/security/advisories/GHSA-vmwq-8g8c-jm79 - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

06 Mar 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 07:16

Updated : 2026-03-10 19:45

NVD link : CVE-2026-28795

Mitre link : CVE-2026-28795

CVE.ORG link : CVE-2026-28795

JSON object : View

Products Affected

zhongyu09

openchatbi

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.8 /10