Lucene search
+L

98 matches found

Chainguard
Chainguard
added 2026/06/08 7:18 p.m.10 views

CVE-2026-29790 vulnerabilities

Vulnerabilities for packages: dbt-bigquery, dbt-snowflake...

5.3CVSS5.1AI score0.00262EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.14 views

CVE-2026-39382

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

9.3CVSS5.6AI score0.00389EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/06/01 10:29 a.m.8 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +40 more potentially affected by CVE-2026-45360 via apache-airflow-core (>=3.0.0 <=3.2.1rc3)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-45360 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-17137547...

7.3CVSS5.7AI score0.00651EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/29 7:32 p.m.8 views

apache-airflow-providers-amazon (>=9.7.0 <=9.8.0rc1), arrow-pd-parser (>=1.0.0 <=1.0.4) +43 more potentially affected by CVE-2026-8838 via redshift-connector (>=2.0.888 <=2.1.13)

redshift-connector PYPI version =2.0.888, =9.7.0, =1.0.0, =0.1.1, =2.0.0, =0.1.7, =0.31.6, =0.1.17, =2.3.0.dev3, =1.0.0a2, =0.4.0, =0.0.1, =0.3.64, =6.1.2, =0.5.2, =1.5.0, =1.9.1 and more Source cves: CVE-2026-8838 Source advisory: OSV:GHSA-29H4-R29X-HCHV...

9.8CVSS5.4AI score0.00808EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/05/19 8:10 p.m.7 views

sqlfluff-templater-dataform (>=0.1.8 <=0.1.11), sqlfluff-templater-dbt (>=4.0.0 <=4.0.4a1) potentially affected by CVE-2026-46373 via sqlfluff (>=4.0.0 <=4.0.4a1)

sqlfluff PYPI version =4.0.0, =0.1.8, =4.0.0, =4.0.4a1 Source cves: CVE-2026-46373 Source advisory: SNYK:PYTHON-SQLFLUFF-16770154...

7.5CVSS5.4AI score0.00263EPSS
Exploits0
Snyk
Snyk
added 2026/05/14 6:25 p.m.9 views

Insertion of Sensitive Information Into Sent Data

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the emittoolcalledevent process, which serializes and transmits all tool arguments, including...

3.1CVSS5.8AI score0.00205EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 6:24 p.m.6 views

GHSA-7XGW-6QF3-7W59 dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

2.5CVSS6AI score0.00104EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/14 6:24 p.m.9 views

Arbitrary Argument Injection

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the nodeselection or resourcetype parameters in the rundbtcommand process. An attacker can override configuration fil...

7.2CVSS6AI score0.00137EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/14 6:24 p.m.16 views

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary rundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independen...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/14 6:24 p.m.7 views

GHSA-XPWW-F6PM-CFHQ dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary rundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independen...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-41149

Name of the Vulnerable Software and Affected Versions dbt-mcp version 1.15.1 Description The DbtMCP.call tool function in src/dbt mcp/mcp/server.py logs the complete raw arguments dictionary at the INFO level for every tool invocation and at the ERROR level if an exception occurs. No fields are...

2.5CVSS6.1AI score0.00104EPSS
Exploits0References10
Circl
Circl
added 2026/05/13 3:1 p.m.10 views

CVE-2026-44970

creationtimestamp| type| source ---|---|--- 2026-05-13 15:01:46+00:00| published-proof-of-concept| https://github.com/dbt-labs/dbt-mcp/security/advisories/GHSA-jj54-r8gm-2fcf...

3.1CVSS4.9AI score0.00205EPSS
Exploits0References1
Circl
Circl
added 2026/05/13 3:1 p.m.10 views

CVE-2026-44968

creationtimestamp| type| source ---|---|--- 2026-05-13 15:01:21+00:00| published-proof-of-concept| https://github.com/dbt-labs/dbt-mcp/security/advisories/GHSA-xpww-f6pm-cfhq...

6.3CVSS5.8AI score0.00137EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/04/18 9:30 a.m.9 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +39 more potentially affected by CVE-2026-32690 via apache-airflow (>=3.0.0 <=3.1.8)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-32690 Source advisory: OSV:GHSA-W9R4-94FJ-XP69...

3.7CVSS5.7AI score0.00421EPSS
Exploits0
NVD
NVD
added 2026/04/07 8:16 p.m.20 views

CVE-2026-39382

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

9.3CVSS0.00389EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 7:56 p.m.4 views

CVE-2026-39382

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

9.3CVSS6AI score0.00389EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.7 views

CVE-2026-29790

dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safeextract function used when extracting tarball archives. The function uses os.path.commonprefix to validate that...

5.3CVSS5.7AI score0.00262EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/03/06 10:54 p.m.4 views

dbt-databricks (>=1.11.1 <=1.11.3) potentially affected by CVE-2026-29790 via dbt-common (=1.36.0)

dbt-common PYPI version =1.36.0 is affected by a known vulnerability. The following packages have a transitive dependency on dbt-common and may be impacted: - dbt-databricks =1.11.1, =1.11.3 Source cves: CVE-2026-29790 Source advisory: SNYK:PYTHON-DBTCOMMON-15440507...

5.3CVSS5.8AI score0.00262EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/06 10:54 p.m.3 views

acdc-aws-etl-pipeline (>=0.1.7 <=0.5.9), airflow-dbt-python (=2.1.0) +49 more potentially affected by CVE-2026-29790 via dbt-common (>=1.0.0b2 <=1.33.0)

dbt-common PYPI version =1.0.0b2, =0.1.7, =0.1.5, =0.21.7, =0.0.1rc1, =0.1.0a1, =1.0.9, =1.8.0, =1.5.2, =1.8.0, =1.8.0, =1.8.15 and more Source cves: CVE-2026-29790 Source advisory: SNYK:PYTHON-DBTCOMMON-15440507...

5.3CVSS5.7AI score0.00262EPSS
Exploits0
Snyk
Snyk
added 2026/03/06 10:54 p.m.1 views

Directory Traversal

Overview dbt-common is a The shared common utilities that dbt-core and adapter implementations use Affected versions of this package are vulnerable to Directory Traversal via the safeextract function. An attacker can write files outside the intended extraction directory by supplying a malicious...

5.3CVSS6.2AI score0.00262EPSS
Exploits0References2
Rows per page
Query Builder