Lucene search
+L

87 matches found

NVD
NVD
added 2026/07/07 10:16 p.m.37 views

CVE-2026-54698

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...

6CVSS0.0017EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/07 9:29 p.m.38 views

CVE-2026-54698 Hasura: Row-level authorization bypass on table computed fields

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...

6CVSS0.0017EPSS
Exploits0References1
CVE
CVE
added 2026/07/07 9:29 p.m.16 views

CVE-2026-54698

Hasura CVE-2026-54698 describes a row-level authorization bypass on table computed fields. Before versions 2.49.2 and 2.45.5, a user could use a where clause on a table computed field (returning SETOF some_table) to infer rows that should be filtered for their role according to some_table’s row-l...

6CVSS5.9AI score0.0017EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/07 9:29 p.m.7 views

CVE-2026-54698

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...

6CVSS5.9AI score0.0017EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/07 9:29 p.m.8 views

CVE-2026-54698 Hasura: Row-level authorization bypass on table computed fields

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...

6CVSS5.9AI score0.0017EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.8 views

PT-2026-56262

Name of the Vulnerable Software and Affected Versions Hasura versions prior to 2.49.2 Hasura versions prior to 2.45.5 Description A flaw exists where a user can employ a where clause on a table computed field that returns SETOF some table to infer row values. This occurs even when those rows shou...

6CVSS6.1AI score0.0017EPSS
Exploits0References5
NVD
NVD
added 2026/06/29 6:16 p.m.18 views

CVE-2026-57951

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...

7.1CVSS0.00246EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 5:20 p.m.9 views

EUVD-2026-40168

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...

7.1CVSS5.8AI score0.00246EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 5:20 p.m.5 views

CVE-2026-57951 Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...

7.1CVSS6AI score0.00246EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.17 views

PT-2026-53669

Name of the Vulnerable Software and Affected Versions Mythic versions prior to 3.4.0.60 Description A broken Hasura permission filter exists on the payload build step table. This issue involves an always-satisfied or condition that bypasses operation-scoped access controls. Consequently,...

7.1CVSS6AI score0.00246EPSS
Exploits0References9
NVD
NVD
added 2026/01/21 6:16 p.m.10 views

CVE-2021-47748

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

9.8CVSS0.0102EPSS
Exploits1References3
OSV
OSV
added 2026/01/21 6:16 p.m.10 views

CVE-2021-47748

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

9.3CVSS6.9AI score
Exploits0References3
Cvelist
Cvelist
added 2026/01/21 5:27 p.m.25 views

CVE-2021-47748 Hasura GraphQL 1.3.3 - Remote Code Execution

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

9.8CVSS0.0102EPSS
Exploits1References3
EUVD
EUVD
added 2026/01/21 5:27 p.m.10 views

EUVD-2026-3661

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

9.8CVSS7AI score0.0102EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/01/21 5:27 p.m.5 views

CVE-2021-47748 Hasura GraphQL 1.3.3 - Remote Code Execution

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

9.8CVSS7AI score0.0102EPSS
Exploits1References3
CVE
CVE
added 2026/01/21 5:27 p.m.30 views

CVE-2021-47748

CVE-2021-47748 concerns Hasura GraphQL 1.3.3, describing a remote code execution via SQL query manipulation. Attackers can inject commands into the run_sql endpoint, leveraging PostgreSQL COPY FROM PROGRAM to execute system commands. Connected sources corroborate the RCE vector and affected compo...

9.8CVSS7AI score0.0102EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.10 views

PT-2026-3794

Name of the Vulnerable Software and Affected Versions Hasura GraphQL version 1.3.3 Description Hasura GraphQL version 1.3.3 contains a remote code execution issue. Attackers can execute arbitrary shell commands through SQL query manipulation. The issue allows command injection into the run sql...

9.8CVSS6.6AI score0.0102EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/01/21 12:0 a.m.10 views

Hasura GraphQL Engine: Operating System Command Injection Vulnerability

Hasura GraphQL Engine is a very fast GraphQL server developed by Hasura as open source. Version 1.3.3 of Hasura GraphQL Engine contains a vulnerability related to operating system command injection. This vulnerability stems from SQL queries that allow remote code execution, potentially enabling t...

9.8CVSS6.4AI score0.0102EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2025/12/23 11:29 p.m.14 views

CVE-2021-47714

Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pgreadfile PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server...

6.9CVSS7.6AI score0.00183EPSS
Exploits1References1
EUVD
EUVD
added 2025/12/23 12:30 a.m.9 views

EUVD-2021-34746

Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resource...

8.7CVSS6.3AI score0.00405EPSS
Exploits1References4
Rows per page
Query Builder