Tag
ArcadeDB Cross-Database IDOR Vulnerability Allows Unauthorized Data Access
1 rule 1 TTPArcadeDB server versions prior to 26.7.2 are vulnerable to a cross-database Insecure Direct Object Reference (IDOR) due to improper authorization checks in several HTTP handlers, enabling a user authorized for a specific database to gain full read and write access to other unauthorized databases by directly accessing specific API endpoints.
ArcadeDB Trigger Script RCE via Java.lang.* Allow-list
3 TTPsA vulnerability in ArcadeDB's ScriptTriggerExecutor allows users with UPDATE_SCHEMA privileges to achieve OS Remote Code Execution (RCE) due to a permissive allow-list for trigger scripts, enabling direct calls to `java.lang.Runtime.exec()` when a malicious trigger script is created and fired.
ArcadeDB IMPORT DATABASE Allows SSRF and Arbitrary Local File Read
2 rules 3 TTPsAuthenticated users can exploit an unvalidated `IMPORT DATABASE` function in ArcadeDB (CVE-2026-54077) to perform Server-Side Request Forgery (CWE-918) against cloud metadata endpoints and internal services, or achieve arbitrary local file read (CWE-22) via `file://` paths, exposing sensitive data.