CVE-2026-53474

MEDIUM EPSS 21.4%
Published Jun 10, 20262w ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jun 10, 2026 2w ago
Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
21.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
kebev2vmigration_assessment* <0.13.5

References 3

  • access.redhat.com https://access.redhat.com/security/cve/CVE-2026-53474
    Third Party Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2487231
    Issue TrackingThird Party Advisory
  • github.com https://github.com/kubev2v/migration-planner/pull/1231
    Patch

Remediation

  • github.com https://github.com/kubev2v/migration-planner/pull/1231
    Patch