CVE-2025-61735

>= 4.0.0 and < 5.0.3

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You

7.3HIGH

CVE-2025-61734

>= 4.0.0 and < 5.0.3

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and

7.5HIGH

CVE-2025-61733

>= 4.0.0 and < 5.0.3

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0

7.5HIGH

CVE-2025-30067

>= 4.0.0 and < 5.0.2

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's sy

7.2HIGH

CVE-2024-48944

>= 5.0.0 and < 5.0.2

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invok

6.5MEDIUM

CVE-2024-23590

>= 2.0.0 and < 5.0.0

Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended t

9.1CRITICAL

CVE-2023-29055

>= 2.0.0 and < 4.0.4

In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties

7.5HIGH

CVE-2022-44621

< 4.0.3

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

9.8CRITICAL

CVE-2022-43396

< 4.0.3

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user

8.8HIGH

CVE-2022-24697

>= 2.0.0 and < 2.6.6

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overw

9.8CRITICAL

CVE-2021-45458

>= 2.0.0 and <= 2.6.6

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption al

7.5HIGH

CVE-2021-45457

>= 2.0.0 and <= 2.6.6

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2

7.5HIGH

CVE-2021-45456

all versions

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. Ther

9.8CRITICAL

CVE-2021-36774

>= 2.0.0 and <= 2.6.6

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties,

6.5MEDIUM

CVE-2021-31522

>= 2.0.0 and <= 2.6.6

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and pr

9.8CRITICAL

CVE-2021-27738

>= 3.0.0 and < 3.1.2

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did

7.5HIGH

CVE-2020-13937

all versions

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5

5.3MEDIUM

CVE-2020-13926

>= 2.0.0 and < 3.1.0

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system

9.8CRITICAL

CVE-2020-13925

>= 2.3.0 and < 3.1.0

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them

9.8CRITICAL

CVE-2020-1956

>= 2.3.0 and <= 2.3.2

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input

8.8HIGH

CVE-2020-1937

>= 2.3.0 and <= 2.3.2

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious d

8.8HIGH