Product
Anyquery in server mode is vulnerable to arbitrary file write (AFW) due to its failure to restrict native SQLite disk manipulation commands like `ATTACH DATABASE`. Unauthenticated attackers can connect to the MySQL-compatible server port and write arbitrary files (e.g., PHP webshells, malicious cronjobs) to any path writable by the Anyquery process, which can lead to remote code execution (RCE) with the privileges of the Anyquery process, significantly impacting system integrity and availability.