CVE-2026-59826
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
CWE-94
Control incorrecto de generación de código (Inyección de código)
Fecha de publicación:
09/07/2026
Última modificación:
09/07/2026
Descripción
*** Pendiente de traducción *** Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
Impacto
Puntuación base 3.x
9.10
Gravedad 3.x
CRÍTICA
Referencias a soluciones, herramientas e información
- https://github.com/metabase/metabase/commit/74032e5e0a5a70dc45a6a744d37b9ba24eee8d01
- https://github.com/metabase/metabase/releases/tag/v0.58.15.1
- https://github.com/metabase/metabase/releases/tag/v0.59.12
- https://github.com/metabase/metabase/releases/tag/v0.60.6.3
- https://github.com/metabase/metabase/releases/tag/v0.61.2
- https://github.com/metabase/metabase/security/advisories/GHSA-8wx2-rxp2-4x35



