CVE-2026-21892

low-risk
Published 2026-01-08

Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Parsl

Affected Vendors

Uchicago

References (3)

Patch https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974
Exploit https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
Exploit https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal