CVE-2026-22805HIGH 8.6EPSS p9.9%

CVE-2026-22805CVE-2026-22805

Description

Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.20% probability of exploitation · percentile 9.9% · 2026-06-19T12:03:05Z
Published2026-01-12
Last modified2026-04-10

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Metabase GeoJSON API Local File Inclusion Vulnerability
CVE
CVE-2026-23899
CVE
CVE-2025-9364
CVE
CVE-2025-59271
CVE
CVE-2026-25848
CVE
CVE-2026-25859
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.