PatchSiren cyber security CVE debrief
CVE-2026-53474 Red Hat CVE debrief
A critical SQL Injection vulnerability was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.
- Vendor
- Red Hat
- Product
- migration-planner
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of migration-planner, especially those in SaaS environments, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability is caused by improper input sanitization in migration-planner, allowing malicious SQL to be executed when processing cluster names from a specially crafted RVTools .xlsx file. This could lead to arbitrary file reading and potential exposure of sensitive information.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor as soon as possible.
- Restrict access to the migration-planner application to only trusted users.
- Monitor for suspicious activity, such as unusual file access or modifications.
Evidence notes
The CVE-2026-53474 record was obtained from the official CVE.org database and the NVD detail page.
Official resources
CVE-2026-53474 was published on 2026-06-10T15:16:41.943Z and modified on 2026-06-10T19:24:04.320Z.