VYPR
Vendor

Yugabytedb

Products
2
CVEs
18
Across products
19
Status
Private

Products

2

Recent CVEs

18
  • CVE-2025-8863HigAug 11, 2025
    risk 0.46cvss epss 0.00

    YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission

  • CVE-2025-8862HigAug 11, 2025
    risk 0.46cvss epss 0.00

    YugabyteDB has been collecting diagnostics information from YugabyteDB servers, which may include sensitive gflag configurations. To mitigate this, we recommend upgrading the database to a version where this information is properly redacted.

  • CVE-2024-11193MedNov 13, 2024
    risk 0.35cvss 6.5epss 0.00

    An information disclosure vulnerability exists in Yugabyte Anywhere, where the LDAP bind password is logged in plaintext within application logs. This flaw results in the unintentional exposure of sensitive information in Yugabyte Anywhere logs, potentially allowing unauthorized…

  • CVE-2025-8866MedAug 11, 2025
    risk 0.33cvss epss 0.00

    YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.

  • CVE-2024-6895MedJul 19, 2024
    risk 0.33cvss epss 0.00

    Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify…

  • CVE-2024-6908MedJul 19, 2024
    risk 0.32cvss epss 0.00

    Improper privilege management in Yugabyte Platform allows authenticated admin users to escalate privileges to SuperAdmin via a crafted PUT HTTP request, potentially leading to unauthorized access to sensitive system functions and data.

  • CVE-2024-11165MedNov 13, 2024
    risk 0.30cvss epss 0.00

    An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight results in sensitive information leakage within the yb_backup log files, exposing the SAS token in plaintext. The…

  • CVE-2024-0006MedJul 19, 2024
    risk 0.28cvss epss 0.00

    Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access.

  • CVE-2025-8865MedAug 11, 2025
    risk 0.27cvss epss 0.00

    The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.

  • CVE-2026-1966LowFeb 5, 2026
    risk 0.16cvss epss 0.00

    YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

  • CVE-2024-41435Sep 3, 2024
    risk 0.00cvss epss 0.01

    YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter.

  • CVE-2023-6002Nov 7, 2023
    risk 0.00cvss epss 0.00

    YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.

  • CVE-2023-6001Nov 7, 2023
    risk 0.00cvss epss 0.01

    Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment.

  • CVE-2023-4640Aug 30, 2023
    risk 0.00cvss epss 0.00

    The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects…

  • CVE-2023-0575Feb 9, 2023
    risk 0.00cvss epss 0.01

    External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege…

  • CVE-2023-0745Feb 9, 2023
    risk 0.00cvss epss 0.01

    The High Availability functionality of Yugabyte Anywhere can be abused to write arbitrary files through the backup upload endpoint by using path traversal characters. This vulnerability is associated with program files…

  • CVE-2023-0574Feb 9, 2023
    risk 0.00cvss epss 0.01

    Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing Functionality Not Properly Constrained…

  • CVE-2022-37397Aug 12, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.