What is the CVSS score of CVE-2026-33725?

CVE-2026-33725 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Metabase are affected by CVE-2026-33725?

Metabase Enterprise Edition versions 1.47-1.59.3 contain a remote code execution vulnerability affecting authenticated administrators who can exploit malicious file imports to execute arbitrary code…. A patch is available.

Metabase CVE-2026-33725

EUVD-2026-16502 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-27 GitHub_M

RCE Deserialization

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:13 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.57.16,1.54.22,1.58.10

EUVD ID Assigned

Mar 27, 2026 - 00:45 euvd

EUVD-2026-16502

Analysis Generated

Mar 27, 2026 - 00:45 vuln.today

CVE Published

Mar 27, 2026 - 00:19 nvd

HIGH 7.2

DescriptionNVD

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and Arbitrary File Read via the POST /api/ee/serialization/import endpoint. A crafted serialization archive injects an INIT property into the H2 JDBC spec, which can execute arbitrary SQL during a database sync. We confirmed this was possible on Metabase Cloud. This only affects Metabase Enterprise. Metabase OSS lacks the affected codepaths. All versions of Metabase Enterprise that have serialization, which dates back to at least version 1.47, are affected. Metabase Enterprise versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4 patch the issue. As a workaround, disable the serialization import endpoint in their Metabase instance to prevent access to the vulnerable codepaths.

AnalysisAI

Remote Code Execution and Arbitrary File Read in Metabase Enterprise Edition allows authenticated administrators to execute arbitrary code and read sensitive files via malicious serialization archives. Affected versions span at least 1.47 through 1.59.3, with patches released in versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. …

RemediationAI

Within 24 hours: Identify all Metabase Enterprise instances and current version numbers via GET /api/session/properties or equivalent. Within 7 days: Apply vendor-released patch to the appropriate maintenance branch (1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, or 1.59.4 based on current version). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33725 vulnerability details – vuln.today

Back

Metabase CVE-2026-33725

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code