Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Metabase — Vulnerabilities & Security Advisories 23

All 23 CVE vulnerabilities found in Metabase, with AI-generated Chinese analysis, references, and POCs.

Vendor: Metabase, Inc.

CVE IDTitleCVSSSeverityPublished
CVE-2026-33725 Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import CWE-502 7.2 High2026-03-27
CVE-2026-27464 Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE CWE-1336 7.7 High2026-02-21
CVE-2026-22805 Metabase channel test endpoint can reach internal local addresses CWE-918 8.2AIHighAI2026-01-12
CVE-2025-5895 Metabase dom.js parseDataUri redos CWE-1333 4.3 Medium2025-06-09
CVE-2025-32382 Snowflake credentials logged by the Metabase backend CWE-532 8.1AIHighAI2025-04-10
CVE-2025-30371 Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint CWE-59 6.1 -2025-03-28
CVE-2025-27141 Metabase Enterprise Edition allows cached questions to leak data to impersonated users CWE-732 4.3 -2025-02-24
CVE-2024-55951 Metabase sandboxed users could see filter values from other sandboxed users CWE-200 5.0 -2024-12-16
CVE-2023-37470 Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint CWE-94 10.0 Critical2023-08-04
CVE-2023-32680 Missing SQL permissions check in metabase CWE-306 5.8 Medium2023-05-18
CVE-2023-23629 Metabase subject to Improper Privilege Management CWE-200 6.3 Medium2023-01-28
CVE-2023-23628 Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor CWE-200 5.7 Medium2023-01-28
CVE-2022-43776 Metabase 代码问题漏洞 6.5 -2022-10-26
CVE-2022-39362 Metabase vulnerable to arbitrary SQL execution from queryhash CWE-356 8.8 High2022-10-26
CVE-2022-39361 Metabase vulnerable to Remote Code Execution via H2 CWE-20 8.8 High2022-10-26
CVE-2022-39360 Metabase SSO users able to circumvent IdP login by doing password reset CWE-304 6.5 Medium2022-10-26
CVE-2022-39359 Metabase's GeoJSON validation doesn't prevent redirects to blocked URLs CWE-200 6.5 Medium2022-10-26
CVE-2022-39358 Metabase vulnerable to circumvention of Locked parameter in Signed Embedding CWE-200 6.5 Medium2022-10-26
CVE-2022-24853 File system exposure in Metabase CWE-200 5.9 Medium2022-04-14
CVE-2022-24854 Database bypassing any permissions in Metabase via SQlite attach CWE-610 8.0 High2022-04-14
CVE-2022-24855 XSS vulnerability in Metabase CWE-79 8.7 High2022-04-14
CVE-2021-41277 GeoJSON URL validation can expose server files and environment variables to unauthorized users CWE-200 10.0 Critical2021-11-17
CVE-2018-0697 Metabase 跨站脚本漏洞 6.1 -2018-11-15

All 23 known CVE vulnerabilities affecting Metabase with full Chinese analysis, references, and POCs where available.