Cube Core is vulnerable to Denial of Service (DoS) via crafted request
- Severity:
- Medium
Description
It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.
Recommendation
Update the @cubejs-backend/server-core package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.5.0, < 1.5.13 >= 1.1.17, < 1.4.2** Patched version(s): **1.5.13 1.4.2**
References
Related Issues
- Cube Core is vulnerable to privilege escalation via a specially crafted request - CVE-2026-25958
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Tags:
- npm
- @cubejs-backend/server-core
Anything's wrong? Let us know Last updated on February 10, 2026