GHSA-wvqj-9wv4-7ff5

### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases.

### Details The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to `fs.exists` and `fs.open('w')` without restricting the location. A user could point a source at `noco.db`, at a tenant database under `nc_minimal_dbs/`, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.

### Impact Disclosure and modification of NocoDB internal state, of other tenants' databases, and of any file the NocoDB process can read or write. Authentication and base-create permission are required.

### Credit This issue was reported by [@Mouhebbenelwafi](https://github.com/Mouhebbenelwafi).