CVE-2026-34400
- Source
- https://cve.org/CVERecord?id=CVE-2026-34400
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34400.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-34400
- Aliases
- Published
- 2026-03-31T21:00:59.824Z
- Modified
- 2026-04-10T05:43:22.328681Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
- Details
-
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version 9.1.0.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-89" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34400.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34400.json
- https://github.com/alerta/alerta/commit/aeba85a37a09e5769a7a2da56481aa979ff99a00
- https://github.com/alerta/alerta/commit/fdd52cd1abad8d02d1dfb8ecdcdbb43b6af3b883
- https://github.com/alerta/alerta/pull/2040
- https://github.com/alerta/alerta/pull/712
- https://github.com/alerta/alerta/releases/tag/v9.1.0
- https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j
- https://nvd.nist.gov/vuln/detail/CVE-2026-34400
Affected packages
Git / github.com/alerta/alerta
Affected versions
v4.*
v4.10.2
v4.5.5
v5.*
v5.0.0
v5.0.0-alpha1
v5.0.0-alpha2
v5.0.0-alpha3
v5.0.0-beta1
v5.0.0-rc1
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v6.*
v6.0.0
v6.0.1
v6.1.0
v6.2.0
v6.2.1
v6.3.0
v6.3.1
v6.3.2
v6.5.0
v6.6.0
v6.6.1
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.8.0
v6.8.1
v6.8.2
v6.8.3
v7.*
v7.0.0
v7.0.1
v7.1.0
v7.1.1
v7.1.2
v7.2.0
v7.2.1
v7.2.10
v7.2.11
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.2.8
v7.2.9
v7.3.0
v7.3.1
v7.3.2
v7.4.0
v7.4.1
v7.4.4
v7.4.5
v7.4.6
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.2.0
v8.3.0
v8.3.1
v8.3.2
v8.3.3
v8.4.0
v8.4.1
v8.5.0
v8.6.0
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.6.5
v8.7.0
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4