| Title | PowerJob 5.1.0/5.1.1/5.1.2 SQL Injection |
|---|
| Description | A critical vulnerability was found in PowerJob v5.1.0 through v5.1.2. The /instance/detailPlus endpoint in InstanceController.java lacks the @ApiPermission annotation, allowing unauthenticated access. The customQuery parameter is concatenated directly into SQL queries without proper sanitization. The existing keyword blacklist does not include H2 database-specific commands such as RUNSCRIPT and CALL. This allows an unauthenticated attacker to execute arbitrary code on the server via H2 SQL injection. The attack can be initiated remotely without any authentication. A patch has been submitted (PR #1166). |
|---|
| Source | ⚠️ https://github.com/PowerJob/PowerJob/issues/1167 |
|---|
| User | anch0r (UID 96691) |
|---|
| Submission | 03/24/2026 04:50 (18 days ago) |
|---|
| Moderation | 04/07/2026 15:31 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355746 [PowerJob 5.1.0/5.1.1/5.1.2 detailPlus Endpoint InstanceController.java customQuery sql injection] |
|---|
| Points | 20 |
|---|