[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-59827":6},{"stargazers_count":4,"fetched_at":5},7,"2026-07-09T17:25:38.292Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":24,"aliases":25,"duplicate_of":9,"upstream":26,"downstream":27,"duplicates":28,"related":29,"reserved_at":9,"published_at":30,"modified_at":31,"state":32,"summary":33,"references_raw":40,"kevs":67,"epss":9,"epss_history":68,"metrics":69,"affected":75},"CVE-2026-59827","Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-502","Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.","weakness","Draft","Base","Medium",[20],{"id":21,"name":22,"techniques":23},"CAPEC-586","Object Injection",[],[],[],[],[],[],[],"2026-07-09T17:43:57.546Z","2026-07-09T18:24:48.433Z","PUBLISHED",{"cisa_kev":34,"cisa_ransomware":34,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":35,"severity_score":36,"severity_version":37,"severity_source":38,"severity_vector":39,"severity_status":32},false,"critical",9.9,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",[41,46,51,55,59,63],{"url":42,"sources":43,"tags":44},"https://github.com/metabase/metabase/security/advisories/GHSA-w95f-x9v9-wv36",[38],[45],"X Refsource CONFIRM",{"url":47,"sources":48,"tags":49},"https://github.com/metabase/metabase/commit/00f42511fe3bc4385652a2e96862ee6fd7d42cf8",[38],[50],"X Refsource MISC",{"url":52,"sources":53,"tags":54},"https://github.com/metabase/metabase/releases/tag/v0.58.15",[38],[50],{"url":56,"sources":57,"tags":58},"https://github.com/metabase/metabase/releases/tag/v0.59.12",[38],[50],{"url":60,"sources":61,"tags":62},"https://github.com/metabase/metabase/releases/tag/v0.60.6.3",[38],[50],{"url":64,"sources":65,"tags":66},"https://github.com/metabase/metabase/releases/tag/v0.61.1.4",[38],[50],[],[],[70],{"source":38,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":71,"cvss_v4_0":9},{"baseScore":36,"baseSeverity":72,"vectorString":39,"impactScore":73,"exploitabilityScore":74},"CRITICAL",10,7.9,[76],{"ecosystem":9,"name":77,"vendor":77,"product":77,"cpe_part":78,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":79},"metabase","a",[80,87,91,95],{"version":81,"is_range":82,"range_type":38,"version_start":83,"version_start_type":84,"version_end":85,"version_end_type":86,"fixed_in":9},">= 1.58.0, \u003C 1.58.15",true,"1.58.0","including","1.58.15","excluding",{"version":88,"is_range":82,"range_type":38,"version_start":89,"version_start_type":84,"version_end":90,"version_end_type":86,"fixed_in":9},">= 1.59.0, \u003C 1.59.12","1.59.0","1.59.12",{"version":92,"is_range":82,"range_type":38,"version_start":93,"version_start_type":84,"version_end":94,"version_end_type":86,"fixed_in":9},">= 1.60.0, \u003C 1.60.6.3","1.60.0","1.60.6.3",{"version":96,"is_range":82,"range_type":38,"version_start":97,"version_start_type":84,"version_end":98,"version_end_type":86,"fixed_in":9},">= 1.61.0, \u003C 1.61.1.4","1.61.0","1.61.1.4"]