CVE-2026-21892
MEDIUMParsl < 2026.01.05 - Unauthenticated SQL Injection via Workflow ID Parameter
Title source: llmDescription
Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
Patch x_refsource_misc
https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974
Scores
CVSS v3
5.3
EPSS
0.0019
EPSS Percentile
40.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (2)
pypi/parsl
0 - 2026.01.05PyPI
uchicago/parsl
< 2026.01.05
Published
Jan 08, 2026
Tracked Since
Feb 18, 2026