216.73.217.126

CVE-2025-71392

· Published 18/07/2026 16:17 · Author: The MITRE Corporation

Labels: CVE-2025-71392

Essential information

Published
18/07/2026 16:17
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.4 CRITICAL (v4.0)
CISA KEV
No
CWE
CWE-77
CVSS vector

CVSS metrics

Description

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a higher-privileged user subsequently imports the exported backup, the injected SurrealQL executes, enabling privilege escalation and root-level takeover of the SurrealDB instance. Applications that let users define custom tables or fields are also exposed to a universal second-order SurrealQL injection even when query parameters are sanitized.

NVD status

NVD
View on NVD