{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5736", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-07T13:31:05.148Z", "datePublished": "2026-04-07T18:45:15.491Z", "dateUpdated": "2026-04-08T16:15:07.755Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-07T18:45:15.491Z"}, "title": "PowerJob detailPlus Endpoint InstanceController.java sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "n/a", "product": "PowerJob", "versions": [{"version": "5.1.0", "status": "affected"}, {"version": "5.1.1", "status": "affected"}, {"version": "5.1.2", "status": "affected"}], "cpes": ["cpe:2.3:a:powerjob:powerjob:*:*:*:*:*:*:*:*"], "modules": ["detailPlus Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-07T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-07T15:36:27.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "anch0r (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355746", "name": "VDB-355746 | PowerJob detailPlus Endpoint InstanceController.java sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355746/cti", "name": "VDB-355746 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786727", "name": "Submit #786727 | PowerJob 5.1.0/5.1.1/5.1.2 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/PowerJob/PowerJob/issues/1167", "tags": ["issue-tracking"]}, {"url": "https://github.com/PowerJob/PowerJob/pull/1166", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/PowerJob/PowerJob/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:46:37.555646Z", "id": "CVE-2026-5736", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:15:07.755Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5736", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:46:37.555646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:46:42.383Z"}}], "cna": {"title": "PowerJob detailPlus Endpoint InstanceController.java sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "anch0r (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:powerjob:powerjob:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["detailPlus Endpoint"], "product": "PowerJob", "versions": [{"status": "affected", "version": "5.1.0"}, {"status": "affected", "version": "5.1.1"}, {"status": "affected", "version": "5.1.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-07T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-07T15:36:27.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355746", "name": "VDB-355746 | PowerJob detailPlus Endpoint InstanceController.java sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355746/cti", "name": "VDB-355746 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786727", "name": "Submit #786727 | PowerJob 5.1.0/5.1.1/5.1.2 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/PowerJob/PowerJob/issues/1167", "tags": ["issue-tracking"]}, {"url": "https://github.com/PowerJob/PowerJob/pull/1166", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/PowerJob/PowerJob/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-07T18:45:15.491Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5736", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:15:07.755Z", "dateReserved": "2026-04-07T13:31:05.148Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-07T18:45:15.491Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5736", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-07T19:16:48.137", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/PowerJob/PowerJob/"}, {"source": "cna@vuldb.com", "url": "https://github.com/PowerJob/PowerJob/issues/1167"}, {"source": "cna@vuldb.com", "url": "https://github.com/PowerJob/PowerJob/pull/1166"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/786727"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355746"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355746/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerJob", "source": "cna", "vendor": "n/a"}, "product": "powerjob", "vendor": "powerjob"}], "analysis": {"en": {"generated_at": "2026-04-07T22:24:46.320118+00:00", "value": {"mitigation_remediation": ["Upgrade PowerJob to a release newer than 5.1.2 that incorporates the fix in pull request 1166.", "If an upgrade is not immediately possible, restrict external access to the detailPlus endpoint or isolate it behind a firewall.", "Implement input validation to reject or sanitize the customQuery parameter.", "Monitor logs for evidence of attempted SQL injection on the detailPlus endpoint."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Version 5.1.0, 5.1.1, and 5.1.2 of the PowerJob platform are affected. All instances that expose the detailPlus endpoint are susceptible, regardless of the deployment environment.", "description_and_impact": "A vulnerability was discovered in the detailPlus endpoint of PowerJob servers. An attacker can manipulate the customQuery parameter to inject arbitrary SQL statements, allowing the execution of unintended database commands. Remote attackers could retrieve sensitive data or alter data stored in the back\u2011end database, compromising confidentiality and integrity.", "risk_and_exploitability": "The severity score of 6.9 indicates moderate risk. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires network connectivity to the vulnerable endpoint, and successful exploitation is likely if the server accepts unvalidated SQL fragments. No patch has been officially released by the vendor, but a pull request addressing the issue is available on GitHub, suggesting that a recent revision may contain the fix."}}}}, "created": "2026-04-08T19:34:56.586902+00:00", "updated": "2026-04-08T19:46:34.543226+00:00", "vendors": ["powerjob", "powerjob$PRODUCT$powerjob"]}