Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-57955— SigNoz 0.130.1 - SQL Injection in Alert History Endpoints via Rule ID Parameter

CVSS 8.5 · High EPSS 0.24% · P14

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

VendorProductVersion RangeStatus
SigNozsignoz≤ 0.130.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-57955

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
SigNoz 0.130.1 - SQL Injection in Alert History Endpoints via Rule ID Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SigNoz SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SigNoz SigNoz是SigNoz团队的一款开源应用性能监控工具。 SigNoz 0.130.1及之前版本存在SQL注入漏洞,该漏洞源于alert-history端点rule ID路径参数中存在SQL注入问题,允许已认证攻击者执行任意ClickHouse查询,读取所有存储的跟踪、日志和指标,或利用url()函数进行服务端请求伪造。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
SigNozsignoz 0 ~ 0.130.1 -

II. Public POCs for CVE-2026-57955

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9076 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-57955

登录查看更多情报信息。

Vendor Advisories for CVE-2026-57955 (1)

Security Blog Posts for CVE-2026-57955 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-57955

No comments yet


Leave a comment