CVE-2026-5736

HIGH7.3EPSS 0.05%

PowerJob vulnerable to SQL injection

Published: 4/7/2026Modified: 4/8/2026

Description

A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.

Affected packages (1)

Maven/tech.powerjob:powerjob-server-starter>= 5.1.0, <= 5.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-5736
PATCHhttps://github.com/PowerJob/PowerJob
WEBhttps://github.com/PowerJob/PowerJob/issues/1167
WEBhttps://github.com/PowerJob/PowerJob/pull/1166
WEBhttps://vuldb.com/submit/786727
WEBhttps://vuldb.com/vuln/355746
WEBhttps://vuldb.com/vuln/355746/cti