CVE-2026-48114

Source
https://cve.org/CVERecord?id=CVE-2026-48114
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48114.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48114
Aliases
  • GHSA-wrc6-rc34-hrcg
Published
2026-06-15T18:52:41.466Z
Modified
2026-07-08T08:11:48.828682377Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Metacat has an unauthenticated SQL injection vulnerability
Details

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVESTSITESCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48114.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/nceas/metacat

Affected ranges

Type
GIT
Repo
https://github.com/nceas/metacat
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "3.0.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48114.json"