Product
A SQL injection vulnerability exists in Rucio's FilterEngine.create_postgres_query, affecting versions 1.30.0 to before 35.8.5, 36.0.0 to before 38.5.5, 39.0.0 to before 39.4.2, and 40.0.0 to before 40.1.1, allowing any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database via the DID search endpoint when the postgres_meta plugin is enabled, potentially leading to data modification, remote code execution, and credential theft.