Description
Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise database.
References (3)
Core 3
Core References
Various Sources product
https://anchore.com/platform/
Various Sources release-notes
patch
https://docs.anchore.com/current/docs/release_notes/enterprise/5251/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/anchore-enterprise-graphql-reports-api-sql-injection
Scores
CVSS v3
7.3
EPSS
0.0032
EPSS Percentile
23.2%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
Anchore/Anchore Enterprise
< 5.25.1
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026