CVE-2021-47748
published 2026-01-21CVE-2021-47748: Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.02%
59.1th percentile
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hasura | graphql | — | — |
| hasura | graphql_engine | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests targeting the run_sql endpoint for SQL payloads containing COPY FROM PROGRAM, which is the exploitation vector for arbitrary shell command execution in CVE-2021-47748. ↗
- ·No fix is available for CVE-2021-47748 as of the published source date; affected deployments of Hasura GraphQL Engine (cpe:2.3:a:hasura:graphql_engine) remain exposed. ↗
- ·The vulnerability has a public exploit available and a CRITICAL severity score of 9.3, increasing urgency for network-level controls around the Hasura run_sql endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2021-47715 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2021-47715 [HIGH] CVE-2021-47715 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2021-47715 :
Hasura vulnerability analysis and mitigation
Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources.
Source : NVD
## 6.9
Score
Published December 22, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Hasura
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:hasura:graphql_engine
Sou
Wiz
CVE-2021-47713 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2021-47713 [HIGH] CVE-2021-47713 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2021-47713 :
Hasura vulnerability analysis and mitigation
Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint.
Source : NVD
## 8.7
Score
Published December 22, 2025
Severity HIGH
CNA Score 8.7
Affected Technologies
Hasura
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:hasura:graphql_engine
Sources
Linux Se
Wiz
CVE-2021-47748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2021-47748 [HIGH] CVE-2021-47748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2021-47748 :
Hasura vulnerability analysis and mitigation
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
Source : NVD
## 9.3
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Hasura
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 44.4
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:hasura:graphql_engine
Sources
Linux Severit
Wiz
CVE-2021-47714 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2021-47714 [HIGH] CVE-2021-47714 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2021-47714 :
Hasura vulnerability analysis and mitigation
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server.
Source : NVD
## 6.9
Score
Published December 22, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Hasura
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:hasura:graphql_engine
Sources
Linux Severity MEDIUM No Fix Added at: Apr 08, 2026
## Get a C
2026-01-21
Published