Approved changes feed: RSS · Atom
cpe:2.3:a:n/a:metabase:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | N/A (22f567d3-1203-528c-8f0e-3eb9c2f6ca78) |
|---|---|
| Product | Metabase (4b3e58dc-b619-5581-8681-99cad7c35317) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-5895 |
vulnerable | 2026-06-08 07:37:25.992994 |
Metabase dom.js parseDataUri redos
MEDIUM (4.3)
A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.
Published: 2025-06-09T20:00:19.261Z
Updated: 2025-06-10T15:30:32.919Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-43776 |
vulnerable | 2026-06-08 05:49:34.033380 |
Details available
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
Published: 2022-10-26T00:00:00.000Z
Updated: 2025-05-07T13:33:17.065Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.