PYSEC-2026-528 Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API
Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...