Vendor
Recce OSS server deployments are vulnerable to unauthenticated SQL execution via the query run API when configured with a DuckDB-backed project, allowing attackers to use DuckDB filesystem primitives to read and write arbitrary files accessible to the server process, potentially leading to data disclosure, tampering, or stored XSS.