What is the CVSS score of EUVD-2026-36795?

EUVD-2026-36795 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Metacat are affected by EUVD-2026-36795?

NCEAS Metacat (versions 2.0.0 through pre-3.0.0) is vulnerable to unauthenticated SQL injection affecting the /harvesterRegistration endpoint; no public exploit identified at time of analysis, but…. A patch is available.

How to fix or mitigate EUVD-2026-36795?

WITHIN 24 HOURS: Identify all systems running Metacat 2.0.0-pre-3.0.0 and immediately restrict network access to the /harvesterRegistration endpoint using firewall rules or network ACLs. Disable the endpoint entirely if harvester registration is not in active use. WITHIN 7 DAYS: Deploy WAF rules to block requests with suspicious parameter patterns to /harvesterRegistration; implement database access logging and alerting for unusual queries; assess logs for signs of prior exploitation (malformed SQL, UNION queries, stacked statements). WITHIN 30 DAYS: Test and plan migration to Metacat 3.0.0 or later; if upgrade unavailable, perform full security audit of database access controls and consider application-level input validation patches as interim measure.

Metacat EUVD-2026-36795

| CVE-2026-48114 CRITICAL

SQL Injection (CWE-89)

2026-06-15 GitHub_M

PostgreSQL SQLi Metacat

9.8

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Servlet skips LDAP auth (PR:N), reachable over HTTP (AV:N) with a single crafted request (AC:L), and stacked-query SQLi yields full DB read/write/execute (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 15, 2026 - 21:01 EUVD

Source Code Evidence Fetched

Jun 15, 2026 - 19:55 vuln.today

Analysis Generated

Jun 15, 2026 - 19:55 vuln.today

CVE Published

Jun 15, 2026 - 18:52 cve.org

CRITICAL 9.8

DescriptionCVE.org

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.

Articles & Coverage 1

News Critical SQL Injection in PostgreSQL via NCEAS Metacat - CVE-2026-48114 Jun 15, 2026

AnalysisAI

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and execute arbitrary statements against the PostgreSQL backend by sending crafted parameters to the /harvesterRegistration endpoint. The flaw stems from string-concatenated INSERTs in HarvesterRegistration.dbInsert() combined with a missing LDAP identity check, and because the backend permits stacked queries via Statement.executeUpdate() the injection escalates to full database compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed Metacat /harvesterRegistration

Delivery

Craft POST with quote-breaking payload in unit/contactEmail/documentListURL

Exploit

Bypass missing LDAP check at servlet

Execution

Stacked SQL executes via PostgreSQL executeUpdate

Persist

Read/modify Metacat metadata and credentials

Impact

Optional escalation to OS via DB role functions

Access

Discover exposed Metacat /harvesterRegistration

Delivery

Craft POST with quote-breaking payload in unit/contactEmail/documentListURL

Exploit

Bypass missing LDAP check at servlet

Execution

Stacked SQL executes via PostgreSQL executeUpdate

Persist

Read/modify Metacat metadata and credentials

Impact

Optional escalation to OS via DB role functions

Vulnerability AssessmentAI

Exploitation	Exploitation requires only network reachability to the Metacat servlet's /harvesterRegistration endpoint on a Metacat 2.0.0-2.x deployment backed by PostgreSQL with stacked queries enabled (the JDBC default). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	All available signals point to a real, high-priority issue rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who can reach the Metacat web interface sends a single HTTP POST to /harvesterRegistration with a unit, contactEmail, or documentListURL field containing a closing single quote followed by stacked SQL such as `'); UPDATE xml_documents SET docid='attacker'; --`. Because the servlet skips LDAP authentication and the quoteString() helper does not escape the embedded quote, the injected statements execute under the Metacat PostgreSQL role, allowing data exfiltration, tampering with metadata records, or pivoting to OS-level commands if the DB role is over-privileged. …
Remediation	Vendor-released patch: Metacat 3.0.0 - upgrade per the GitHub Security Advisory at https://github.com/NCEAS/metacat/security/advisories/GHSA-wrc6-rc34-hrcg, which corresponds to commit 820d595309b399fdbdf4983bd1b1dd795773472a that removes the entire vulnerable harvesterClient code path. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Identify all systems running Metacat 2.0.0-pre-3.0.0 and immediately restrict network access to the /harvesterRegistration endpoint using firewall rules or network ACLs. …

Threat intelligence, references, and detailed analysis are available after sign-in.