5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21892

CVE-2026-21892: Parsl Monitoring Visualization Vulnerable to SQL Injection

Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21892

CVE-2026-21892:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parsl	pip	< 2026.01.05	2026.01.05

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch 013a928461e70f38a33258bd525a351ed828e974 clearly indicates a SQL injection vulnerability in the parsl.monitoring.visualization component. The root cause is the use of unsafe Python string formatting (the % operator) to construct SQL queries with user-supplied input (workflow_id) taken directly from URL routes. The patch remediates this by replacing the string formatting with parameterized queries using sqlalchemy.text and a params dictionary. Two functions were identified as vulnerable: workflow_dag_details and workflow_resources in parsl/monitoring/visualization/views.py. Both functions took the workflow_id and inserted it directly into a SQL query string, allowing an attacker to execute arbitrary SQL commands by crafting a malicious URL. This could lead to data exfiltration from the monitoring database or a denial of service.

Vulnerable functions

workflow_dag_details

parsl/monitoring/visualization/views.py

The function constructs a SQL query by directly embedding the `workflow_id` parameter using unsafe string formatting (`%s`). This allows an attacker to inject malicious SQL code into the query by manipulating the `workflow_id` in the URL.

workflow_resources

parsl/monitoring/visualization/views.py

Similar to `workflow_dag_details`, this function uses unsafe string formatting to inject the `workflow_id` into a SQL query. This makes it vulnerable to SQL injection, as user-controlled input from the URL is passed directly into the database query without sanitization.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21892: Parsl Monitoring Visualization Vulnerable to SQL Injection

CVE-2026-21892:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

5.3

5.3

CVE-2026-21892: Parsl Monitoring Visualization Vulnerable to SQL Injection

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI