CVE-2026-25957

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25957
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25957.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25957
Aliases
Published
2026-02-09T22:39:16.121Z
Modified
2026-03-13T04:11:39.986372Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request
Details

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-755"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25957.json"
}
References

Affected packages

Git / github.com/cube-js/cube

Affected ranges

Type
GIT
Repo
https://github.com/cube-js/cube
Events
Introduced
d130dbc32b2931ecd1264d44fd8952e6d8f52c94
Fixed
4e47fc6ca2fe0bb4b921e64448c647b3c0a8707a
Database specific 
{
    "versions": [
        {
            "introduced": "1.1.17"
        },
        {
            "fixed": "1.4.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/cube-js/cube
Events
Introduced
e4d767eee86887aab47bfcb6448d9db2bf0851cc
Fixed
7a2b4a0b705f61863d35102099ecc29be198ab6a
Database specific 
{
    "versions": [
        {
            "introduced": "1.5.0"
        },
        {
            "fixed": "1.5.13"
        }
    ]
}

Affected versions

v1.*
v1.1.17
v1.1.18
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.19
v1.2.2
v1.2.20
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.26
v1.2.27
v1.2.28
v1.2.29
v1.2.3
v1.2.30
v1.2.31
v1.2.32
v1.2.33
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.21
v1.3.22
v1.3.23
v1.3.24
v1.3.25
v1.3.26
v1.3.27
v1.3.28
v1.3.29
v1.3.3
v1.3.30
v1.3.31
v1.3.32
v1.3.33
v1.3.34
v1.3.35
v1.3.36
v1.3.37
v1.3.38
v1.3.39
v1.3.4
v1.3.40
v1.3.41
v1.3.42
v1.3.43
v1.3.44
v1.3.45
v1.3.46
v1.3.47
v1.3.48
v1.3.49
v1.3.5
v1.3.50
v1.3.51
v1.3.52
v1.3.53
v1.3.54
v1.3.55
v1.3.56
v1.3.57
v1.3.58
v1.3.59
v1.3.6
v1.3.60
v1.3.61
v1.3.62
v1.3.63
v1.3.64
v1.3.65
v1.3.66
v1.3.67
v1.3.68
v1.3.69
v1.3.7
v1.3.70
v1.3.71
v1.3.72
v1.3.73
v1.3.74
v1.3.75
v1.3.76
v1.3.77
v1.3.78
v1.3.79
v1.3.8
v1.3.80
v1.3.81
v1.3.82
v1.3.83
v1.3.84
v1.3.85
v1.3.86
v1.3.9
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25957.json"

Git / github.com/cube-js/cube.js

Affected ranges

Type
GIT
Repo
https://github.com/cube-js/cube.js
Events
Introduced
d130dbc32b2931ecd1264d44fd8952e6d8f52c94
Fixed
4e47fc6ca2fe0bb4b921e64448c647b3c0a8707a
Introduced
e4d767eee86887aab47bfcb6448d9db2bf0851cc
Fixed
7a2b4a0b705f61863d35102099ecc29be198ab6a
Database specific 
{
    "versions": [
        {
            "introduced": "1.1.17"
        },
        {
            "fixed": "1.4.2"
        },
        {
            "introduced": "1.5.0"
        },
        {
            "fixed": "1.5.13"
        }
    ]
}

Affected versions

v1.*
v1.1.17
v1.1.18
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.19
v1.2.2
v1.2.20
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.26
v1.2.27
v1.2.28
v1.2.29
v1.2.3
v1.2.30
v1.2.31
v1.2.32
v1.2.33
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.21
v1.3.22
v1.3.23
v1.3.24
v1.3.25
v1.3.26
v1.3.27
v1.3.28
v1.3.29
v1.3.3
v1.3.30
v1.3.31
v1.3.32
v1.3.33
v1.3.34
v1.3.35
v1.3.36
v1.3.37
v1.3.38
v1.3.39
v1.3.4
v1.3.40
v1.3.41
v1.3.42
v1.3.43
v1.3.44
v1.3.45
v1.3.46
v1.3.47
v1.3.48
v1.3.49
v1.3.5
v1.3.50
v1.3.51
v1.3.52
v1.3.53
v1.3.54
v1.3.55
v1.3.56
v1.3.57
v1.3.58
v1.3.59
v1.3.6
v1.3.60
v1.3.61
v1.3.62
v1.3.63
v1.3.64
v1.3.65
v1.3.66
v1.3.67
v1.3.68
v1.3.69
v1.3.7
v1.3.70
v1.3.71
v1.3.72
v1.3.73
v1.3.74
v1.3.75
v1.3.76
v1.3.77
v1.3.78
v1.3.79
v1.3.8
v1.3.80
v1.3.81
v1.3.82
v1.3.83
v1.3.84
v1.3.85
v1.3.86
v1.3.9
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25957.json"