CVE Catalog

CVE-2026-53474

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

A flaw was found in migration-planner that allows a remote authenticated attacker to upload a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within spreadsheet cells is executed when processing cluster names.

Risk Assessment

This SQL Injection vulnerability allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.

Recommendation

It is recommended to immediately update the migration-planner system and implement proper input sanitization mechanisms to prevent exploitation of this vulnerability.

Original NVD description (English source)

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS