CVE-2026-5736

HIGH

PowerJob detailPlus Endpoint InstanceController.java sql injection

Title source: cna

Description

A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/355746

[Signature, Permissions Required] https://vuldb.com/vuln/355746/cti

[Third Party Advisory] https://vuldb.com/submit/786727

[Issue Tracking] https://github.com/PowerJob/PowerJob/issues/1167

[Patch] https://github.com/PowerJob/PowerJob/pull/1166

[Product] https://github.com/PowerJob/PowerJob/

Scores

CVSS v3 7.3

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (4)

None/PowerJob 5.1.0

None/PowerJob 5.1.1

None/PowerJob 5.1.2

tech.powerjob/powerjob-server-starter 5.1.0Maven

Published Apr 07, 2026

Tracked Since Apr 08, 2026