PT-2026-60946 · Surrealdb+1 · Surrealdb+1

·

CVE-2024-58366

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

8.5

High

VectorAV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 1.1.1
Description A format string issue exists in the Exception::throw type() function of rquickjs, the Rust binding to the QuickJS engine, when scripting is enabled. Attackers with scripting privileges can provide format string sequences in error inputs to read arbitrary process memory or execute code with the privileges of the SurrealDB process.
Recommendations Update to version 1.1.1 or later.

Fix

RCE

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2024-58366

Affected Products

Surrealdb
Quickjs