SCA: security update for parsl (GHSA-f2mf-q878-gh58)

high Tenable Self-Hosted Container Security Plugin ID 436593

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize
component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string
formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This
allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL
commands, potentially leading to data exfiltration or denial of service against the monitoring database.
Version 2026.01.05 fixes the issue. (CVE-2026-21892)

See Also

https://github.com/advisories/GHSA-f2mf-q878-gh58

Plugin Details

Severity: High

ID: 436593

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/6/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-21892

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/6/2026

Vulnerability Publication Date: 1/6/2026

Reference Information

CVE: CVE-2026-21892

cwe: CWE-89