{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-30T13:12:40.527","vulnerabilities":[{"cve":{"id":"CVE-2026-25958","sourceIdentifier":"security-advisories@github.com","published":"2026-02-09T23:16:06.957","lastModified":"2026-06-17T10:25:29.517","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14."},{"lang":"es","value":"Cube es una capa semántica para construir aplicaciones de datos. Desde 0.27.19 hasta antes de 1.5.13, 1.4.2 y 1.0.14, es posible realizar una solicitud especialmente diseñada con un token de API válido que conduce a una escalada de privilegios. Esta vulnerabilidad está corregida en 1.5.13, 1.4.2 y 1.0.14."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"cube-js","product":"cube","versions":[{"version":">= 0.27.19, < 1.0.14","status":"affected"},{"version":">= 1.1.0, < 1.4.2","status":"affected"},{"version":">= 1.5.0, < 1.5.13","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-11T21:26:50.545357Z","id":"CVE-2026-25958","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-807"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.27.19","versionEndExcluding":"1.0.14","matchCriteriaId":"78B8CBDB-7E95-45F7-B916-A2CEA52AF86C"},{"vulnerable":true,"criteria":"cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"1.4.2","matchCriteriaId":"A7012092-D8D0-451C-BF39-8B34AEC74673"},{"vulnerable":true,"criteria":"cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.5.0","versionEndExcluding":"1.5.13","matchCriteriaId":"BE6B3000-94CC-46CE-BA90-87D559D6F536"}]}]}],"references":[{"url":"https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}