VYPR
Vendor

Retool

Products
2
CVEs
2
Across products
2
Status
Private

Products

2

Recent CVEs

2
  • CVE-2025-47424HigMay 9, 2025
    risk 0.46cvss 7.1epss 0.00

    Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

  • CVE-2024-42056Aug 22, 2024
    risk 0.00cvss epss 0.00

    Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.