{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5739", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-07T13:38:26.568Z", "datePublished": "2026-04-07T19:15:11.183Z", "dateUpdated": "2026-04-07T20:03:03.560Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-07T19:15:11.183Z"}, "title": "PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "n/a", "product": "PowerJob", "versions": [{"version": "5.1.0", "status": "affected"}, {"version": "5.1.1", "status": "affected"}, {"version": "5.1.2", "status": "affected"}], "cpes": ["cpe:2.3:a:powerjob:powerjob:*:*:*:*:*:*:*:*"], "modules": ["OpenAPI Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-07T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-07T15:43:31.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "anch0r (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355747", "name": "VDB-355747 | PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355747/cti", "name": "VDB-355747 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786936", "name": "Submit #786936 | PowerJob 5.1.0/5.1.1/5.1.2 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/PowerJob/PowerJob/issues/1168", "tags": ["issue-tracking"]}, {"url": "https://github.com/PowerJob/PowerJob/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T20:02:56.373092Z", "id": "CVE-2026-5739", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:03:03.560Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5739", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T20:02:56.373092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:02:59.592Z"}}], "cna": {"title": "PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection", "credits": [{"lang": "en", "type": "reporter", "value": "anch0r (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:powerjob:powerjob:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["OpenAPI Endpoint"], "product": "PowerJob", "versions": [{"status": "affected", "version": "5.1.0"}, {"status": "affected", "version": "5.1.1"}, {"status": "affected", "version": "5.1.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-07T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-07T15:43:31.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355747", "name": "VDB-355747 | PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355747/cti", "name": "VDB-355747 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786936", "name": "Submit #786936 | PowerJob 5.1.0/5.1.1/5.1.2 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/PowerJob/PowerJob/issues/1168", "tags": ["issue-tracking"]}, {"url": "https://github.com/PowerJob/PowerJob/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-07T19:15:11.183Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5739", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:03:03.560Z", "dateReserved": "2026-04-07T13:38:26.568Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-07T19:15:11.183Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5739", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:34.647", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/PowerJob/PowerJob/"}, {"source": "cna@vuldb.com", "url": "https://github.com/PowerJob/PowerJob/issues/1168"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/786936"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355747"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355747/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerJob", "source": "cna", "vendor": "n/a"}, "product": "powerjob", "vendor": "powerjob"}], "analysis": {"en": {"generated_at": "2026-04-07T22:21:39.496443+00:00", "value": {"mitigation_remediation": ["Apply the latest PowerJob release that contains the fix.", "If a patch is not yet available, restrict network access to the OpenAPI endpoint and limit exposure to trusted users.", "Implement input validation and monitoring to detect injected code execution attempts."], "summary": {"action": "Patch ASAP", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw impacts PowerJob versions 5.1.0, 5.1.1, and 5.1.2. Users of these releases must confirm whether their environment utilizes the vulnerable OpenAPI endpoint.", "description_and_impact": "The vulnerability resides in the GroovyEvaluator.evaluate function of the OpenAPI endpoint addWorkflowNode. By tampering with the nodeParams argument, an attacker can inject arbitrary Groovy scripts, leading to remote code execution on the PowerJob server and compromising confidentiality, integrity, and availability. This is a data injection flaw (CWE\u201174) that allows runtime code injection (CWE\u201194).", "risk_and_exploitability": "The CVSS score of 6.9 denotes medium severity, and the attack can be conducted remotely without authentication, raising the risk level. No EPSS data or KEV listing is available, so the exploitation likelihood remains uncertain, yet the openness of the endpoint and lack of protective controls suggest a significant threat. Administrators should treat the vulnerability as a potential remote code execution risk until a patch is applied."}}}}, "created": "2026-04-08T19:34:48.891766+00:00", "updated": "2026-04-08T19:46:23.804831+00:00", "vendors": ["powerjob", "powerjob$PRODUCT$powerjob"]}