CVE-2026-5739

HIGH

PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection

Title source: cna

Description

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Third Party Advisory] https://vuldb.com/submit/786936

[Issue Tracking] https://github.com/PowerJob/PowerJob/issues/1168

[Product] https://github.com/PowerJob/PowerJob/

[Vdb Entry, Technical Description] https://vuldb.com/vuln/355747

[Signature, Permissions Required] https://vuldb.com/vuln/355747/cti

Scores

CVSS v3 7.3

EPSS 0.0006

EPSS Percentile 18.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-94

Status published

Products (4)

None/PowerJob 5.1.0

None/PowerJob 5.1.1

None/PowerJob 5.1.2

tech.powerjob/powerjob-server-starter 5.1.0Maven

Published Apr 07, 2026

Tracked Since Apr 08, 2026