CVE-2026-46645EPSS p11.6%

CVE-2026-46645CVE-2026-46645

Description

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

Scoring

CVSS 4.3 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS0.21% probability of exploitation · percentile 11.6% · 2026-06-19T12:03:05Z
Last modified2026-06-11

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7813
CVE
CVE-2025-26941
CVE
CVE-2026-4277
CVE
CVE-2025-48383
CVE
CVE-2025-64459
CVE
CVE-2026-39109
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.