Metabase < 0.46.6.1 - Remote Code Execution

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2...

Metabase - Local File Inclusion

Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map admin-settings-maps-custom maps-add a map support and potential local file inclusion including environment variables. URLs were not...

Exploit for Deserialization of Untrusted Data in Metabase

CVE-2026-33725 A proof-of-concept exploit for CVE-2026-33725,...

Metabase Enterprise < 1.54.22 / 1.55.x < 1.55.22 / 1.56.x < 1.56.22 / 1.57.x < 1.57.16 / 1.58.x < 1.58.10 / 1.59.x < 1.59.4 RCE (GHSA-fppj-vcm3-w229)

The version of Metabase Enterprise installed on the remote host is prior to 1.54.22, 1.55.x prior to 1.55.22, 1.56.x prior to 1.56.22, 1.57.x prior to 1.57.16, 1.58.x prior to 1.58.10, or 1.59.x prior to 1.59.4. It is, therefore, affected by a remote code execution vulnerability: - Authenticated...

CVE-2026-33725

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33725

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33725

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33725 Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

EUVD-2026-16502

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33725

Metabase Enterprise (all versions dating back to at least 1.47) prior to 1.59.4 include a vulnerability where authenticated admins can trigger Remote Code Execution (RCE) and Arbitrary File Read via POST /api/ee/serialization/import. A crafted serialization archive injects an INIT property into t...

CVE-2026-33725 Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

Metabase 代码问题漏洞

Metabase is an open-source data analysis platform developed by the American company Metabase. Code vulnerabilities existed in versions of Metabase Enterprise prior to 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. These vulnerabilities stemmed from deserialization attacks at the...

PT-2026-28512

Name of the Vulnerable Software and Affected Versions Metabase Enterprise versions 1.47 through 1.54.21 Metabase Enterprise versions 1.55.0 through 1.55.21 Metabase Enterprise versions 1.56.0 through 1.56.21 Metabase Enterprise versions 1.57.0 through 1.57.15 Metabase Enterprise versions 1.58.0...

Metabase < 0.57.13 / 0.58.x < 0.58.7 / 1.x < 1.57.13 / 1.58.x < 1.58.7 Information Disclosure

The version of Metabase installed on the remote host is prior to 0.57.13, 0.58.x prior to 0.58.7, 1.x prior to 1.57.13, or 1.58.x prior to 1.58.7. It is, therefore, affected by an information disclosure vulnerability: - Authenticated users are able to retrieve sensitive information from a Metabas...

CVE-2026-27464

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileg...

CVE-2026-27464

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileg...

CVE-2026-27464 Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileg...

CVE-2026-27464 Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileg...

CVE-2026-27464 Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileg...

CVE-2026-27464

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileg...