Submit #786727: PowerJob 5.1.0/5.1.1/5.1.2 SQL Injectioninfo

TitlePowerJob 5.1.0/5.1.1/5.1.2 SQL Injection
DescriptionA critical vulnerability was found in PowerJob v5.1.0 through v5.1.2. The /instance/detailPlus endpoint in InstanceController.java lacks the @ApiPermission annotation, allowing unauthenticated access. The customQuery parameter is concatenated directly into SQL queries without proper sanitization. The existing keyword blacklist does not include H2 database-specific commands such as RUNSCRIPT and CALL. This allows an unauthenticated attacker to execute arbitrary code on the server via H2 SQL injection. The attack can be initiated remotely without any authentication. A patch has been submitted (PR #1166).
Source⚠️ https://github.com/PowerJob/PowerJob/issues/1167
User
 anch0r (UID 96691)
Submission03/24/2026 04:50 (4 months ago)
Moderation04/07/2026 15:31 (14 days later)
StatusAccepted
VulDB entry355746 [PowerJob 5.1.0/5.1.1/5.1.2 detailPlus Endpoint InstanceController.java customQuery sql injection]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!