GHSA-4fp2-3xgg-jg4w

Suggest an improvement
Source
https://github.com/advisories/GHSA-4fp2-3xgg-jg4w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4fp2-3xgg-jg4w/GHSA-4fp2-3xgg-jg4w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4fp2-3xgg-jg4w
Aliases
  • CVE-2026-5736
Published
2026-04-07T21:32:39Z
Modified
2026-04-08T19:46:47.182843Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
PowerJob vulnerable to SQL injection
Details

A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.

Database specific 
{
    "cwe_ids": [
        "CWE-74",
        "CWE-89"
    ],
    "github_reviewed_at": "2026-04-08T19:38:09Z",
    "nvd_published_at": "2026-04-07T19:16:48Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Maven / tech.powerjob:powerjob-server-starter

Package

Name
tech.powerjob:powerjob-server-starter
View open source insights on deps.dev
Purl
pkg:maven/tech.powerjob/powerjob-server-starter

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Last affected
5.1.2

Affected versions

5.*
5.1.0
5.1.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4fp2-3xgg-jg4w/GHSA-4fp2-3xgg-jg4w.json"