What is the CVSS score of CVE-2021-47748?

CVE-2021-47748 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of PostgreSQL are affected by CVE-2021-47748?

Organizations using Hasura GraphQL 1.3.3 face critical risk from CVE-2021-47748, a OS command injection vulnerability rated CVSS 9.8.

Is there a public PoC exploit available for CVE-2021-47748?

Yes, a public proof-of-concept exploit is available for CVE-2021-47748. Prioritise patching immediately. EPSS: 0.5%.

How to fix or mitigate CVE-2021-47748?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

PostgreSQL CVE-2021-47748

CRITICAL

OS Command Injection (CWE-78)

2026-01-21 disclosure@vulncheck.com

PostgreSQL RCE Graphql Engine

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 02, 2026 - 18:11 vuln.today

Public exploit code

CVE Published

Jan 21, 2026 - 18:16 nvd

CRITICAL 9.8

DescriptionCVE.org

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.

AnalysisAI

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands through the GraphQL endpoint.

Technical ContextAI

Hasura GraphQL Engine 1.3.3 has a CWE-78 OS command injection vulnerability that allows attackers to inject and execute shell commands through crafted GraphQL queries or metadata operations.

RemediationAI

Upgrade Hasura GraphQL Engine. Restrict access to the GraphQL endpoint. Implement query complexity limits.

More from same product – last 7 days

CVE-2026-20253 CRITICAL Act Now POC

9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-54310 MEDIUM This Month

9.9 Jun 16

SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inje

CVE-2026-48114 CRITICAL Act Now

9.8 Jun 15

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and exec

CVE-2026-11945 HIGH This Week

7.5 Jun 11

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve s

CVE-2021-47748 vulnerability details – vuln.today

Back

PostgreSQL CVE-2021-47748

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code