← Zuruck zu CVEs
CVE-2026-21892
MEDIUM5.3
Beschreibung
Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
CVE Details
CVSS v3.1 Bewertung5.3
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht1/8/2026
Zuletzt geandert1/20/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
uchicago:parsl
Schwachen (CWE)
CWE-89
Referenzen
https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974(security-advisories@github.com)
https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58(security-advisories@github.com)
https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.