EUVD-2026-17293
GHSA-rh5m-2482-966c
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.
Analysis
SQL injection in SciTokens Python library allows unauthenticated remote code execution against the local SQLite database. The KeyCache class improperly uses str.format() to construct SQL queries with attacker-controlled issuer and key_id parameters, enabling arbitrary SQL command execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running SciTokens versions before 1.9.6 using software inventory tools and isolate affected services from untrusted network access. Within 7 days: Contact SciTokens project for patch availability and timeline; if patch is released, test and deploy to all affected instances immediately. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today