9.1

CVE-2026-28370

Exploit
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenstackVitrage Version < 12.01
OpenstackVitrage Version >= 13.0.0 < 13.0.1
OpenstackVitrage Version >= 14.0.0 < 14.0.1
OpenstackVitrage Version >= 15.0.0 < 15.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.12
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cve@mitre.org 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://storyboard.openstack.org/#%21/story/2011539
Vendor Advisory
Exploit
Issue Tracking