Skip to content

Metabase Enterprise — serialization import RCE (CVSS 7.2, public PoC)

cve · CVE-2026-33725

First covered

2026-05-07

Last covered

2026-05-07

Appearances

1

All cited sources for this topic (1)

nvd.nist.govprimaryNVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-33725
cited in 2026-05-07

Story timeline

2026-05-07CTI Daily Brief — 2026-05-07
active_vulnsFirst coverage. Admin-authenticated RCE via POST /api/ee/serialization/import; public Python PoC released by Hakai Security; no KEV; fixed in patched versions. [SINGLE-SOURCE-OTHER]