npm package
@cubejs-backend/server-core
pkg:npm/%40cubejs-backend/server-core
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25958 | — | >= 0.27.19, < 1.0.14 | 1.0.14 | Feb 9, 2026 | Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14. | ||
| CVE-2026-25957 | — | >= 1.1.17, < 1.4.2 | 1.4.2 | Feb 9, 2026 | Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2. |
- CVE-2026-25958Feb 9, 2026affected >= 0.27.19, < 1.0.14fixed 1.0.14
Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
- CVE-2026-25957Feb 9, 2026affected >= 1.1.17, < 1.4.2fixed 1.4.2
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.