CVE-2026-25958

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...

@cubejs-backend/server (>=1.5.0 <=1.5.12), @cubejs-backend/testing-drivers (>=1.5.0 <=1.5.12) potentially affected by CVE-2026-25958 via @cubejs-backend/server-core (>=1.5.0 <=1.5.12)

@cubejs-backend/server-core NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.12 Source cves: CVE-2026-25958 Source advisory: OSV:GHSA-V226-32C7-X2V7...

@cubejs-backend-json-clone/server (=1.0.0), @cubejs-backend/server (>=0.3.1 <=1.0.13) +4 more potentially affected by CVE-2026-25958 via @cubejs-backend/server-core (>=0.27.53 <=1.0.13)

@cubejs-backend/server-core NPM version =0.27.53, =0.3.1, =0.3.1, =0.8.0, =0.8.0, =0.32.28, =1.0.13 Source cves: CVE-2026-25958 Source advisory: OSV:GHSA-V226-32C7-X2V7...

CVE-2026-25958

creationtimestamp| type| source ---|---|--- 2026-02-09 23:23:21+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mehlqejbwx2h 2026-02-10 01:10:06+00:00| seen| https://gist.github.com/alon710/b5fe90df3763874f070b682a26b7b53b...

@cubejs-backend/server (>=1.5.0 <=1.5.12), @cubejs-backend/server-core (>=1.5.0 <=1.5.12) +1 more potentially affected by CVE-2026-25958 via @cubejs-backend/api-gateway (>=1.5.0 <=1.5.12)

@cubejs-backend/api-gateway NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.12 Source cves: CVE-2026-25958 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265447...

@codefresh-io/cubejs-backend-server-core (>=0.30.77 <=0.35.47-rc.bp.2), @cubejs-backend-json-clone/server (=1.0.0) +17 more potentially affected by CVE-2026-25958 via @cubejs-backend/api-gateway (>=0.27.53 <=1.0.12)

@cubejs-backend/api-gateway NPM version =0.27.53, =0.30.77, =0.3.1, =0.3.1, =0.3.1, =0.8.0, =0.8.0, =0.32.28, =0.33.43, =0.33.43, =0.29.4, =1.0.0, =0.27.30, =0.30.52 and more Source cves: CVE-2026-25958 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265447...

CVE-2026-25958 Cube privilege escalation via a specially crafted request

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...

CVE-2026-25958

Cube (semantic layer) versions 0.27.19 up to before 1.5.13, 1.4.2, and 1.0.14 are vulnerable to privilege escalation via a specially crafted request with a valid API token. The issue is fixed in 1.5.13, 1.4.2, and 1.0.14. CVSS v3.1 base score 7.7 (HIGH) with attack vector Network, attack complexi...

CVE-2026-25958

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...

CVE-2025-25958

creationtimestamp| type| source ---|---|--- 2025-02-20 22:17:42+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/4820 2025-02-20 23:38:15+00:00| seen| Telegram/fbZISBgfCVr2rdM-WXYJrFHm4AAKPuVE25sJkFa79i-lSa 2025-02-21 00:57:13+00:00| seen| https://t.me/cvedetector/18618...

CVE-2025-25958

Cross Site Scripting vulnerabilities in phpcmsv9 v.9.6.3 allows a remote attacker to escalate privileges via a crafted script...

CVE-2025-25958

This CVE (CVE-2025-25958) affects phpcmsv9 v9.6.3 and is a Cross Site Scripting vulnerability that allows a remote attacker to escalate privileges via a crafted script. The vulnerability is documented across multiple sources (NVD, Red Hat, CNNVD, CVE lists) with the root cause described as XSS in...

CVE-2024-25958

creationtimestamp| type| source ---|---|--- 2025-01-28 19:17:23+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/3274...

CVE-2024-25958

Dell Grab for Windows, versions up to and including 5.0.4, contain Weak Application Folder Permissions vulnerability. A local authenticated attacker could potentially exploit this vulnerability, leading to privilege escalation, unauthorized access to application data, unauthorized modification of...

CVE-2024-25958

Dell Grab for Windows, versions up to and including 5.0.4, contain Weak Application Folder Permissions vulnerability. A local authenticated attacker could potentially exploit this vulnerability, leading to privilege escalation, unauthorized access to application data, unauthorized modification of...

CVE-2023-25958

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Justin Saad Simple Tooltips plugin = 2.1.4 versions...

CVE-2023-25958

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Justin Saad Simple Tooltips plugin = 2.1.4 versions...

CVE-2023-25958 WordPress Simple Tooltips Plugin <= 2.1.4 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Justin Saad Simple Tooltips plugin = 2.1.4 versions...

CVE-2023-25958

CVE-2023-25958 is an admin+ authenticated, stored cross-site scripting (XSS) vulnerability in the WordPress plugin Simple Tooltips

WordPress Simple Tooltips Plugin <= 2.1.4 is vulnerable to Cross Site Scripting (XSS)

Software Simple Tooltips Type Plugin Vulnerable versions = 2.1.4 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-25958 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 3aecf353268c Credits deokhunKim Required...