| CVE-2026-27464 |
High
|
published |
Authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. |
| CVE-2026-22805 |
low
|
published |
It's possible to use the channel test endpoint to reach internal local addresses |
| CVE-2025-32382 |
low
|
published |
Snowflake credentials logged by the Metabase backend |
| CVE-2025-30371 |
low
|
published |
It's possible to circumvent local link access protection in GeoJson endpoint |
| CVE-2025-27141 |
Medium
|
published |
Cached questions leak data to impersonated users |
| CVE-2024-55951 |
Medium
|
published |
Sandboxed users could see filter values from other sandboxed users |
| CVE-2023-37470 |
Critical
|
published |
Remote code execution via user-supplied H2 connection strings |
| CVE-2023-32680 |
Medium
|
published |
Native models enable people without SQL permissions to create and edit SQL snippets |
| CVE-2023-23628 |
Medium
|
published |
Dashboard subscription settings interface reveals list of recipients to sandboxed users |
| CVE-2023-23629 |
Medium
|
published |
Users can view data they don't have privileges to view by adding themselves to dashboard subscriptions created by users with more data privileges |
| CVE-2022-39358 |
Critical
|
published |
Possible to circumvent Locked parameter in Signed Embedding |
| CVE-2022-39360 |
High
|
published |
SSO users able to circumvent IdP login by doing password reset |
| CVE-2022-39359 |
High
|
published |
GeoJSON validation doesn't prevent redirects to blocked URLs |
| CVE-2022-39362 |
High
|
published |
Arbitrary SQL execution from queryhash |
| CVE-2022-39361 |
Critical
|
published |
Remote Code Execution via H2 |
| CVE-2022-24853 |
low
|
published |
Make GeoJSON URL read fully conditional on validation |
| CVE-2022-24854 |
Medium
|
published |
SQLite allows "FDW" to other SQLite databases bypassing any permissions |
| CVE-2022-24855 |
Medium
|
published |
XSS vulnerability in /_internal endpoint |
| N/A |
Critical
|
published |
log4j RCE - CVE-2021-44228 |
| N/A |
High
|
published |
Incomplete validation of GeoJSON api can lead to exposing local files or environment variables to admin users |
| CVE-2021-41277 |
Critical
|
published |
GeoJSON URL validation can expose server files and environment variables to unauthorized users |
| N/A |
low
|
published |
Exposure of Dashboard Subscription Metadata to Users Without Read Access |
| N/A |
High
|
published |
Potential Information Disclosure When Using Presto with Basic Auth on HTTP Errors |
| N/A |
Medium
|
published |
Revision API allows revert of dashboards and viewing history of questions/dashboards without permissions |
| N/A |
Medium
|
published |
Possible information leakage for Sandboxed users seeing filter list data they may not have access to |
| N/A |
High
|
published |
Possible SQL Injection With Redshift and Postgres Match and Replace Operations |
| N/A |
High
|
published |
Custom Maps Feature lets Admin Users Read Server Files |
| N/A |
High
|
published |
Metabase Enterprise Data Sandboxing and Caching Visibility Vulnerability |
