SQL Injection in migration-planner via crafted RVTools .xlsx upload (CVE-2026-53474)

critical-cve-against-dependency · active

A SQL injection flaw in migration-planner lets a remote authenticated attacker upload a specially crafted RVTools .xlsx file whose embedded SQL is executed when cluster names are processed. This enables arbitrary file reading that can expose Kubernetes service account tokens and credentials, potentially leading to full compromise of the SaaS environment.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-vf2h-7x3w-97fr
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-53474
• ghsahttps://github.com/kubev2v/migration-planner/pull/1231
• nvdhttps://access.redhat.com/security/cve/CVE-2026-53474
• nvdhttps://bugzilla.redhat.com/show_bug.cgi?id=2487231