Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-m89c-z84y-jug2
Vulnerability ID VCID-m89c-z84y-jug2
Aliases CVE-2025-30067
GHSA-29m8-wh9p-5wc4
Summary Apache Kylin Code Injection via JDBC Configuration Alteration Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.5
Risk 3.2
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2025-30067
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2025-30067
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2025-30067
cvssv4 2.1 https://github.com/apache/kylin
generic_textual LOW https://github.com/apache/kylin
cvssv4 2.1 https://github.com/apache/kylin/commit/21d98f3ef29f71b50dacabbf039905f9f0f71b95
generic_textual LOW https://github.com/apache/kylin/commit/21d98f3ef29f71b50dacabbf039905f9f0f71b95
cvssv4 2.1 https://issues.apache.org/jira/browse/KYLIN-5994
generic_textual LOW https://issues.apache.org/jira/browse/KYLIN-5994
cvssv3.1 7.2 https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
cvssv4 2.1 https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
generic_textual LOW https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
ssvc Track https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
cvssv4 2.1 https://nvd.nist.gov/vuln/detail/CVE-2025-30067
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2025-30067
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-30067
https://github.com/apache/kylin
https://github.com/apache/kylin/commit/21d98f3ef29f71b50dacabbf039905f9f0f71b95
https://issues.apache.org/jira/browse/KYLIN-5994
https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
CVE-2025-30067 https://nvd.nist.gov/vuln/detail/CVE-2025-30067
GHSA-29m8-wh9p-5wc4 https://github.com/advisories/GHSA-29m8-wh9p-5wc4
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://github.com/apache/kylin
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://github.com/apache/kylin/commit/21d98f3ef29f71b50dacabbf039905f9f0f71b95
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://issues.apache.org/jira/browse/KYLIN-5994
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-27T17:54:19Z/ Found at https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-30067
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.47652
EPSS Score 0.00241
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:23:40.729944+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.kylin/kylin/CVE-2025-30067.yml 38.6.0