cbcvebase.
CVE-2021-47748
published 2026-01-21

CVE-2021-47748: Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.02%
59.1th percentile
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.

Affected

2 ranges
VendorProductVersion rangeFixed in
hasuragraphql
hasuragraphql_engine

Detection & IOCsextracted from sources · hover to see the quote

url/v1/query
  • Monitor HTTP POST requests targeting the run_sql endpoint for SQL payloads containing COPY FROM PROGRAM, which is the exploitation vector for arbitrary shell command execution in CVE-2021-47748.
  • ·No fix is available for CVE-2021-47748 as of the published source date; affected deployments of Hasura GraphQL Engine (cpe:2.3:a:hasura:graphql_engine) remain exposed.
  • ·The vulnerability has a public exploit available and a CRITICAL severity score of 9.3, increasing urgency for network-level controls around the Hasura run_sql endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.