PatchSiren cyber security CVE debrief
CVE-2026-48114 NCEAS CVE debrief
A critical vulnerability was discovered in Metacat, a data repository software used for preserving, sharing, and discovering data. The issue, tracked as CVE-2026-48114, is an unauthenticated SQL injection vulnerability that affects versions 2.0.0 and above. The vulnerability is located in the /harvesterRegistration endpoint, where the HarvesterRegistration.dbInsert() function builds an INSERT statement against the HARVEST_SITE_SCHEDULE table using string concatenation. This allows an attacker to inject malicious SQL code through three request parameters: unit, contactEmail, and documentListURL. The vulnerability has a CVSS score of 9.8 and is considered critical. The PostgreSQL backend used by Metacat permits stacked queries via Statement.executeUpdate(), which enables an attacker to gain full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat version 3.0.0.
- Vendor
- NCEAS
- Product
- metacat
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Metacat versions 2.0.0 and above should be aware of this vulnerability and take immediate action to upgrade to version 3.0.0 or apply the necessary patches.
Technical summary
CVE-2026-48114 is an unauthenticated SQL injection vulnerability in Metacat versions 2.0.0 and above. The vulnerability is caused by the use of string concatenation in the HarvesterRegistration.dbInsert() function, which allows an attacker to inject malicious SQL code. The vulnerability has a CVSS score of 9.8 and is considered critical.
Defensive priority
High
Recommended defensive actions
- Upgrade to Metacat version 3.0.0 or later
- Apply the necessary patches to remediate the vulnerability
Evidence notes
The vulnerability was discovered and reported by an unknown source. The CVE record was published on June 15, 2026, and the vulnerability was remediated in Metacat version 3.0.0.
Official resources
CVE-2026-48114 was published on 2026-06-15T20:16:28.957Z.