CVE-2026-53474
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
A flaw was found in migration-planner that allows a remote authenticated attacker to upload a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within spreadsheet cells is executed when processing cluster names.
Risk Assessment
This SQL Injection vulnerability allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.
Recommendation
It is recommended to immediately update the migration-planner system and implement proper input sanitization mechanisms to prevent exploitation of this vulnerability.
Original NVD description (English source)
A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.

