CVE-2026-32714
🔴 Łataj teraz
Wstrzyknięcie SQL w SciTokens umożliwia wykonanie dowolnych poleceń SQL w bazie danych.
CVSS
9.8
EPSS
0.0%
Exploit
poc
Vendor
scitokens
Opis źródłowy (NVD)
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.
exploit sql-injection
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-31 03:15:55 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-03 18:01:22 UTC |
Referencje
- https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2 (security-advisories@github.com) [Patch]
- https://github.com/scitokens/scitokens/releases/tag/v1.9.6 (security-advisories@github.com) [Release Notes]
- https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c (security-advisories@github.com) [Exploit, Vendor Advisory]