CVE-2026-25957

EUVD-2026-6246
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
cubecube.js
1.1.17 ≤
𝑥
< 1.4.2
cubecube.js
1.5.0 ≤
𝑥
< 1.5.13
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g