CVE-2024-12866

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-12866

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12866.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-12866

Published

2025-03-20T10:15:30.840Z

Modified

2026-04-10T05:10:03.944823Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. This vulnerability allows an attacker to read arbitrary files on the file system, which can lead to remote code execution by retrieving private SSH keys, reading private files, source code, and configuration files.

References

https://huntr.com/bounties/c23da7c7-a226-40a2-83db-6a8ab1b2ef64

Affected packages

Git / github.com/netease-youdao/qanything

Affected ranges

Type

GIT

Repo

https://github.com/netease-youdao/qanything

Events

Introduced

Last affected

f3e96fa41325ea978de6bb3eabbd8d0742f33d0c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0"
        }
    ]
}

Affected versions

v1.*

v1.1.0

v1.1.1

v1.2.0

v1.4.0-python

v2.*

v2.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12866.json"